pci

PCI Self-Assessment Questionnaires (SAQs) are like a checklist for Merchants and Service Providers to comply with their PCI DSS requirements. The SAQs are required to be duly filled and submitted yearly to the acquiring bank for entities to demonstrate their compliance with the latest version of the PCI Data Security Standards.

The PCI Council has listed out 8 PCI SAQs for the Merchants and Service Providers to choose from, based on their business and the way they process credit card transactions. Selecting the right one applicable for your business is crucial. That said, it may indeed be a bit overwhelming for the entities to determine which one applies to them. But to address that the PCI Council has also charted out different types of SAQ’s and their applicability based on the way the cards are processed.  So here is a quick summary of different PCI SAQs and requirements that entities must meet for each to comply with the PCI Standard.  But before that let us understand the Merchant levels to which SAQs are applicable. 

Applicability of SAQ for different Merchant Levels

Level 2

Criteria:

  • Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
  • Merchants processing between 50,000 to 2.5 million American Express transactions annually
  • Merchants processing less than 1 million JCB transactions annually

Validation Requirements:

  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

Level 3

Criteria:

  • Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually
  • Merchants processing 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
  • Merchants that process 20,000 to 1 million Discover card-not-present only transactions annually
  • Less than 50,000 American Express transactions.

Validation Requirements:

  • SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Level 4

Criteria:

  • Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions annually
  • All other merchants processing up to 1 million Visa or Mastercard transactions annually

Validation Requirements:

  • These largely depend on the requirements of the merchant’s acquiring bank
  • Typically include an SAQ and Quarterly Network Scan by ASV

Different Types of SAQ

SAQ Type  Eligibility criteria 
A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

 

A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels. 
B Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

 

B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels. 
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels 
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels. 

P2PE-HW

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels. 
D For Merchants: All merchants not included in descriptions for the above types

 

D

For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire

 

SAQ comprises a list of questions that the entity is required to fill accurately to demonstrate they have taken all the necessary measures to secure cardholder data. Each SAQ includes a list of security standards that businesses must follow.

PCI SAQs vary with their list and the type of questions that the entity is required to follow. So, while SAQ A is the shortest with just 22 questions, SAQ D is the longest with 329 questions that entities are required to fill accurately.

The SAQ is duly filled by the members of the appointed Information Security Team.  The SAQ that is filled comes with a signed Attestation of Compliance (AoC) by an officer of the company responsible for compliance who may be the Chief Financial Officer or equivalent.

Conclusion

Protecting data is the top priority of an organization. Organizations should be proactive about their security and compliance programs to effectively protect their sensitive data and infrastructure. PCI SAQ forms an important part of your compliance program.

It put your security to the test and checks the effectiveness of your security measure. SAQ works as guidance or roadmap to better security. Filling out a PCI SAQ is the best way to ensure the business has not missed out on any security requirements. So, given the importance of SAQ and how essential it is for entities to select the right SAQ, it is also essential that they are accurately filled.

That said, it only makes sense to work with a qualified PCI QSA firm that can help organizations simplify this daunting task of the self-assessment process. Engaging with a QSA like us at VISTA InfoSec can provide invaluable assistance in determining the applicability of SAQ, filling it, and helping entities reduce the scope of their cardholder data environment. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.