Which PCI SAQ Do I Need?

Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:

  •     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?
  •     What type of payment processing machine or terminal you use for credit and debit card transactions.
  •     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.


What is an SAQ, and what is it for? 

PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC) to help payment-card-processing merchants and service providers measure their own PCI compliance Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs).

Organizations that are not required to procure an on-site audit by a Qualified Security Assessor (QSA) or Internal Security Assessor and the resulting Report on Compliance (ROC) are permitted, instead, to self-assess. SAQs contain two components:

  •     Questions correlating to the PCI DSS requirements
  •     An Attestation of Compliance (AOC), to be filed with your acquiring bank


Which SAQ is right for my organization? 

The PCI SSC has developed eight merchant SAQs and one for service providers. The PCI DSS 3.2.1 SAQ types and their intended users are:

  • SAQ A: For merchants doing business remotely (e-commerce, mail order, telephone order) that have outsourced payment card data processing and storage to a PCI DSS-validated third party, and do not store card or cardholder data in any form.
  • SAQ A-EP: For e-commerce merchants that have outsourced credit card data processing and storage to a PCI DSS-validated third party but also maintain a website that doesn’t receive cardholder data but could affect the security of a payment transaction.
  • SAQ B: For merchants conducting sales in person using credit card imprint machines or standalone, dial-out terminals that do not store cardholder data electronically.
  • SAQ B-IP: For card-present merchants conducting sales in person using only standalone, PIN Transaction Security (PTS)-approved card payment terminals with an internet protocol (IP) connection to the payment processor, and that do not store electronic cardholder data.
  • SAQ C-VT: For merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. SAQ C-VT merchants may not store electronic cardholder data.
  • SAQ C: For merchants conducting sales in-person using payment application systems connected to the Internet. SAQ-C merchants do not store electronic cardholder data.
  • SAQ P2PE: For merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
  • SAQ D for Merchants: For all merchants not included in descriptions for the above SAQ types.
  • SAQ D for Service Providers: For all service providers defined by a payment brand as eligible to complete an SAQ.

If your organization processes, stores, or transmits payment card information and you are not required to obtain an on-site audit and ROC, you must complete an SAQ and submit it with an AOC to your acquiring bank.


How to Save Time and Money on your SAQ

PCI DSS SAQ forms can be lengthy and laborious to fill out, costing your organization time, money, and other valuable resources. This is especially true if you are using spreadsheets to track your PCI compliance efforts, and gathering documentation from disparate sources such as email accounts, mail correspondence, website materials, and text messages.

To ease the self-assessment task and save time and money, why not try a compliance software? ZenGRC can, among other things:

  •     Help you minimize the scope of your cardholder data environment (CDE)
  •     Probe your systems and networks to see where you comply with PCI DSS and where you don’t
  •     Tell you what you need to do to reach compliance
  •     Provide a user-friendly overview of your PCI compliance posture on our “single source of truth” dashboard
  •     Collect and keep the audit-trail documents you need
  •     Survey and monitor your third-party service providers’ compliance
  •     Continuously monitor your ongoing PCI DSS compliance

Isn’t it time you ditched your confusing, old-fashioned spreadsheets for a complete, easy-to-use compliance solution? Call a Reciprocity expert today, and take your first step on the worry-free path to PCI DSS compliance—the Zen way.