PCI SAQ Services

A PCI Self-Assessment Questionnaire (SAQ) is a guide for merchants and service providers to follow and ensure compliance to PCI DSS. The SAQ works as a checklist for organizations so they do not miss out on any security requirements applicable to their business. Depending on the payment processing methods, there are different SAQ that might apply to the organization. However, it is important to note that PCI SAQ applies to only those Service Providers and Merchants who store credit card data or process less than 300,000 payment card transactions annually.

Self-attesting compliance to PCI DSS through a PCI SAQ is what is expected from Service Providers who fall in this category. They need not go for an onsite audit or submit (ROC) Report on Compliance to their acquiring banks or payment brands. However, it is important to note that PCI SAQ is an annual activity to be performed by both Merchants and Service Providers. However, it is not as easy as it seems to be because performing a self-assessment requires the organization to define the scope for assessment and interpreting the outlined requirements. This is when professionals like us at VISTA InfoSec come into the picture to help clients with their SAQ PCI DSS Compliance. Our team makes your compliance process easy and hassle-free by guiding you through every stage of the process.


    Our Approach to PCI SAQ Services

    Scope Definition
    Scope Definition

    We spend significant time with your senior management in scope definition which includes timelines, responsibilities, and budget for the implementation. Wherever possible, we provide inputs to consolidate scope thereby cutting down on project cost and timelines.

    PCI SAQ Selection
    PCI SAQ Selection

    The assessor first understands your business and cardholder data environment. Then based on the business profile and the use of payment cards, the assessor selects the SAQ suitable for your business.

    PCI SAQ Gap Assessment
    PCI SAQ Gap Assessment

    We work with your team and relevant stakeholders to perform a GAP Analysis against the selected SAQ. Then based on the findings we provide recommendations on closing the gaps identified during the assessment process.

    Strategy Building
    Strategy Building

    We develop an information security strategy with your team and align it with business objectives. Working along with your team, we identify and prioritize the assets that are directly in link with cardholder’s sensitive data and accordingly develop a robust security measure and strategy.

    PCI SAQ Preparation
    PCI SAQ Preparation

    Our team will work with your team to help you in filling the selected PCI SAQ and offer you guidance on the attestation requirements and on successful completion, provide Attestation of Compliance.

    End-to-End Support
    End-to-End Support

    Our team of experts will lead, coach, and direct your security team for your compliance efforts.

    PCI Managed Compliance
    PCI Managed Compliance

    PCI Compliance is an ongoing process and so our team will continue helping you maintaining PCI Compliance. Our program will ensure it to be a hassle-free compliance process for your team.

    PCI SAQ Services

    Why work with VISTA InfoSec?

    Vendor Neutral- We believe in being your true consulting / audit partners by not indulging in sales of hardware/software that results in bias suggestions.
    Strictly No Outsourcing- We value your trust in us so we do not outsource your critical assignments to a third party.
    Industry Expertise- We will share industry-specific insight and provide relevant recommendations for achieving your goals of compliance.
    Years of Experience- Your organization will benefit from our decade-long years of Industry experience and knowledge.
    End-to-end support- Our team will hand-hold you at every stage/process to implement security controls and systems to protect the environment.
    Actionable recommendations- Our team provides remediation to mitigate the risks your environment faces from external attackers, Insider threats, automated worms, and network management errors to improve the security posture of your environment.
    Reports detailing the analysis finding- Our team will provide you a comprehensive report with a prioritized list of vulnerabilities, compensating controls for issues that cannot be directly addressed.
    Frequently Asked Questions

    Frequently Asked Questions on PCI SAQ Services

    Small merchants and service providers who process less than 300,000 payment card transactions annually and are not required to submit a Report on Compliance (ROC) require a PCI SAQ. The Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool for Merchants and service providers to assess security for cardholder data.

    Smaller organisations processing less number of transactions compared to larger organisations or working processes which are in a low risk zone cannot afford the investment to implement and maintain compliance to all the requirements of PCI DSS. In many cases, not all of the listed or outlined requirements are applicable. Basic objective behind SAQ is for helping such organisations maintain at least a minimum benchmark of security as per the processes that they are running. For further information on what SAQ is applicable to which organisation, please do view our brief explanatory video.

    PCI SSC calls for all Service Providers and Merchants to comply with the PCI DSS Standards. However, if the entity does not fall in the Merchant level 1 that requires an RO, then based on the merchant levels and type business model and data processing activity will have to comply with a specific type of SAQ. In all cases, it is advised to get guidance of applicability from the payment brands or acquirers since it is finally their call.

    Level 2


    Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
    Merchants processing between 50,000 to 2.5 million American Express transactions annually
    Merchants processing less than 1 million JCB transactions annually

    Validation Requirements:

    Annual Self-Assessment Questionnaire (SAQ)
    Quarterly network scan by Approved Scan Vendor (ASV)
    Attestation of Compliance Form

    Level 3


    Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually
    Merchants processing 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions annually
    Merchants that process 20,000 to 1 million Discover card-not-present only transactions annually
    Less than 50,000 American Express transactions

    Validation Requirements:

    Quarterly network scan by ASV
    Attestation of Compliance Form

    Level 4


    Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions annually
    All other merchants processing up to 1 million Visa or Mastercard transactions annually

    Validation Requirements:

    These largely depend on the requirements of the merchant’s acquiring bank
    Typically include an SAQ and Quarterly Network Scan by ASV

    Below is a brief listing. You can also alternatively view our video on:

    SAQ Type Eligibility Criteria
    A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
    A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
    B Merchants using only: • Imprint machines with no electronic cardholder data storage; and/or • Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
    B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
    C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
    C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
    P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
    D For Merchants: All merchants not included in descriptions for the above types.
    D For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

    Every Self-Assessment Questionnaire (SAQ) was created with an intent to support a specific type of environment, depending on how the entity stores, processes, and/or transmits cardholder data. Each SAQ defines specific criteria that must be met in order to be eligible to use that SAQ. The intent of having different criteria is to ensure that the entity’s environment is properly scoped and made suitable for validation against the subset of PCI DSS requirements contained in the SAQ. An environment containing a specific type of system if not be eligible for a particular SAQ may likely be subject to different and/or additional PCI DSS requirements than those included in the SAQ.

    Entities must validate the SAQ annually.

    Discover our latest resources