A PCI Self-Assessment Questionnaire (SAQ) is a guide for merchants and service providers to follow and ensure compliance to PCI DSS. The SAQ works as a checklist for organizations so they do not miss out on any security requirements applicable to their business. Depending on the payment processing methods, there are different SAQ that might apply to the organization. However, it is important to note that PCI SAQ applies to only those Service Providers and Merchants who store credit card data or process less than 300,000 payment card transactions annually.
Self-attesting compliance to PCI DSS through a PCI SAQ is what is expected from Service Providers who fall in this category. They need not go for an onsite audit or submit (ROC) Report on Compliance to their acquiring banks or payment brands. However, it is important to note that PCI SAQ is an annual activity to be performed by both Merchants and Service Providers. However, it is not as easy as it seems to be because performing a self-assessment requires the organization to define the scope for assessment and interpreting the outlined requirements. This is when professionals like us at VISTA InfoSec come into the picture to help clients with their SAQ PCI DSS Compliance. Our team makes your compliance process easy and hassle-free by guiding you through every stage of the process.
We spend significant time with your senior management in scope definition which includes timelines, responsibilities, and budget for the implementation. Wherever possible, we provide inputs to consolidate scope thereby cutting down on project cost and timelines.
The assessor first understands your business and cardholder data environment. Then based on the business profile and the use of payment cards, the assessor selects the SAQ suitable for your business.
We work with your team and relevant stakeholders to perform a GAP Analysis against the selected SAQ. Then based on the findings we provide recommendations on closing the gaps identified during the assessment process.
We develop an information security strategy with your team and align it with business objectives. Working along with your team, we identify and prioritize the assets that are directly in link with cardholder’s sensitive data and accordingly develop a robust security measure and strategy.
Our team will work with your team to help you in filling the selected PCI SAQ and offer you guidance on the attestation requirements and on successful completion, provide Attestation of Compliance.
Our team of experts will lead, coach, and direct your security team for your compliance efforts.
PCI Compliance is an ongoing process and so our team will continue helping you maintaining PCI Compliance. Our program will ensure it to be a hassle-free compliance process for your team.
Small merchants and service providers who process less than 300,000 payment card transactions annually and are not required to submit a Report on Compliance (ROC) require a PCI SAQ. The Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool for Merchants and service providers to assess security for cardholder data.
Smaller organisations processing less number of transactions compared to larger organisations or working processes which are in a low risk zone cannot afford the investment to implement and maintain compliance to all the requirements of PCI DSS. In many cases, not all of the listed or outlined requirements are applicable. Basic objective behind SAQ is for helping such organisations maintain at least a minimum benchmark of security as per the processes that they are running. For further information on what SAQ is applicable to which organisation, please do view our brief explanatory video.
PCI SSC calls for all Service Providers and Merchants to comply with the PCI DSS Standards. However, if the entity does not fall in the Merchant level 1 that requires an RO, then based on the merchant levels and type business model and data processing activity will have to comply with a specific type of SAQ. In all cases, it is advised to get guidance of applicability from the payment brands or acquirers since it is finally their call.
Below is a brief listing. You can also alternatively view our video on:
|SAQ Type||Eligibility Criteria|
|A||Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.|
|B||Merchants using only: • Imprint machines with no electronic cardholder data storage; and/or • Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|B-IP||Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.|
|C||Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.|
|P2PE-HW||Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|D||For Merchants: All merchants not included in descriptions for the above types.|
|D||For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.|
Every Self-Assessment Questionnaire (SAQ) was created with an intent to support a specific type of environment, depending on how the entity stores, processes, and/or transmits cardholder data. Each SAQ defines specific criteria that must be met in order to be eligible to use that SAQ. The intent of having different criteria is to ensure that the entity’s environment is properly scoped and made suitable for validation against the subset of PCI DSS requirements contained in the SAQ. An environment containing a specific type of system if not be eligible for a particular SAQ may likely be subject to different and/or additional PCI DSS requirements than those included in the SAQ.
Entities must validate the SAQ annually.