Even before last year’s pandemic forced most of us to shop online, we were already heading in that direction — an easy transition considering that, according to Experian, each U.S. consumer carries an average of four credit cards from which to choose. But this increase in credit card usage also brings with it greater risks associated with collecting customer data. 

Of course, the Payment Card Industry Data Security Standard (PCI DSS) compliance framework accounts for that, helping to ensure that organizations that accept credit card payments meet required levels of security when storing, processing and transmitting cardholder data. And while PCI compliance is not required by law, the risks of potential data infringement come at a great expense, costing your company’s reputation and customers, not to mention hefty fines. 

Unfortunately, maintaining compliance is not simple. If you’re a larger organization with a complex payment processing infrastructure, you may work with a certified security assessor to perform the necessary assessments and create and submit your report of compliance. But for many businesses, taking advantage of Self-Assessment Questionnaires (SAQs) to evaluate data security is the best option. 

There are many SAQs, and the best one to use depends on a variety of factors, including how your business accepts payment cards (i.e., in-person or online) and how much of your payment acceptance channel is outsourced (i.e., a digital payments or e-commerce provider). For instance, SAQ A is based on a small subset of PCI DSS and is for businesses that have outsourced all cardholder data activities to PCI-compliant third-party service providers. On the other hand, there are two SAQ Ds, one for merchants and one for service providers, which are the most extensive options and meant for those who perform most of their own processing. 

Regardless of which SAQ you need for your organization’s PCI compliance self-assessment, you’ll still want to complete five key activities in advance to ensure you’re prepared for your SAQ submission.

1. Develop a network diagram.

Make sure you have a complete view of your cardholder data environment (CDE) infrastructure so you can see where cardholder data is present and how it is protected. If you outsource any part of your payment acceptance activity, you’ll want to work with your vendors to ensure their infrastructures are also reflected in your diagram.

2. Build a data flow diagram

You also need to understand how your cardholder data is processed and flows through your CDE infrastructure. 

3. Identify data access points

It’s critical to know which applications or tools have access to your CDE, even if they don’t actually process cardholder data (i.e., internal firewalls, third-party encryption tools, etc.)

4. Conduct internal testing.

Ensure that the necessary controls are in place when you submit your annual SAQ. Using a GRC tool will allow you to easily track your testing and identify issues and solutions for remediation, as well as provide real-time reporting on status. 

5. Create a hardware and software inventory. 

Document any hardware and software you are utilizing, including version details and any current patches you are running.

Once you’ve identified the appropriate SAQ for your business and completed these five key activities, you’re ready to begin your self-assessment for PCI compliance

Good luck! 


To learn more about Self-Assessment for PCI, watch our on-demand webinar Self-Assessing for PCI: How to Get the Most Out of Your Program.