By Bill Minahan | May 20, 2020 | 0 Comments
An SAQ is a merchant’s statement of PCI compliance. A PCI self-assessment questionnaire (PCI SAQ) is a self-validation tool to assess security for cardholder data.
An SAQ is a way to prove you are taking the security measures needed to keep cardholder data safe and meeting compliance regulations.
The PCI SAQ is made up of a series of yes-or-no questions for each PCI data security requirement. Furthermore, each SAQ includes a list of security standards that businesses must review and follow to meet PCI compliance.
PCI SAQs vary in length depending on the different needs and environments of each merchant required to meet PCI compliance. For instance, PCI SAQ A is the shortest with just 22 questions. In contrast, SAQ D is the longest with 329 questions.
There are two components to the PCI SAQ:
There are 9 different SAQs a merchant can take to meet compliance. Your SAQ depends on how you process credit cards and store cardholder data. For instance, if you sell all your products online and process cardholder data from a trusted third-party, then you are most likely eligible for SAQ A or SAQ A-EP. In contrast, if you have a store that processes credit cards through the internet, or if you store cardholder data, then you are likely required to take SAQ D.
Specifically, there are 9 different types of SAQs for PCI compliance. In order to determine which category your organization falls under, use the list provided below:
Card-not-present merchants ( e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that does not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s system or premises.
Merchants using only:
Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic data storage
Merchants using only standalone PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Merchants with payment application systems connected to the internet, no electronic cardholder data storage.
Merchants using only hardware payment terminals that are included and managed via a validated, PCI SSC-listed P2PE solution, with no electronic data storage.
All merchants not included in the descriptions for the above SAQ types.
All service providers defined by a payment brand as eligible to complete an SAQ.
If you have any questions about which SAQ your company needs to take, then please contact us.
SAQs prove to auditors and customers that you are compliant with PCI requirements. However, compliance is only one half of it. SAQs also prove your handling sensitive data securely and care about security best practices.
In most cases, merchant processors and paying customers do not want to work with businesses that do not take data security seriously. Therefore, they use PCI SAQ as proof of the competence of your security.
If you have an upcoming PCI audit deadline and need help with compliance or determining which SAQ is right for your business, then please contact one of our compliance and security experts for a quote.
Our compliance experts work as an extension of your team, no matter how big or small your business is. As a result, we help make sure you are PCI compliant and audit-ready.
If you are looking to gauge your PCI compliance strength, then please use our free tool to gain actionable insights into your PCI compliance.
Our tool covers all 12 PCI DSS compliance requirements. Furthermore, it delivers your results in seconds.
If you have any questions regarding the PCI DSS assessment tool, SAQs, or compliance issues, then please contact us.
Otherwise, you can call us directly at 855-459-6600.
Furthermore, if you are looking for more information on PCI DSS compliance, then you can find it here.