The Self-Assessment Questionnaires (SAQs) are validation tools designed to help merchants and service providers report on the results of their compliance with PCI DSS. It must be completed as evidence of their completion of the PCI DSS self-assessment. These SAQs need to be submitted yearly to your acquiring bank to demonstrate compliance with the latest version of the PCI Data Security Standards, which is currently PCI DSS 3.2.1

The PCI Security Standards Council has a list of 8 PCI SAQs to choose from, based on your organization and how you process credit card transactions.

 

Tips to help you choose

 

Choosing the right one can be a bit confusing and overwhelming. We give you tips and explain about the different PCI SAQs, how they differ from each other and the conditions that you must meet for each SAQ.

 

SAQ A

 

1. The organization must be a Card Not Present (CNP) merchant. This means any merchant that accepts credit cards as a form of payment through an e-commerce site, over the telephone, or through the mail.
2. The organization must fully outsource all cardholder data functions to a PCI DSS validated third party (Service Provider) and they do not store, process, or transmit any cardholder data on their network.

 

SAQ A-EP

 

1. The organization must only accept credit card payments via an e-commerce channel (website). This eliminates payments via credit card through the mail, telephone, or fax.
2. The organization must have a website or multiple websites that do not receive cardholder data but could impact the security of the transaction. In other words, this would mean a secure redirect to a third-party for payment that might appear to be a part of your website (iframe). That redirect could impact the security of the transaction.
3. The merchant does not store, process or transmit any cardholder data on their own systems.

 

SAQ B

 

1. Card Present transactions where you are using the card in front of another person. This eliminates any e-commerce channels as those are Card Not Present Transactions.
2. The merchant must be using either an imprint machine with no cardholder data stored or standalone, dial-up terminals with no electronic cardholder data storage.

 

SAQ B-IP

 

1. The merchant must be using standalone, PTS approved terminals. PTS stands for PIN Transaction Security so think keypads to enter your PIN when using a debit card.
2. These terminals must be IP connected, or connected to the Internet (not dial-up like SAQ B) and do not store electronic cardholder data.

 

SAQ C

 

1. The merchant must be using a payment application system connected to the internet.
2. The merchant must not store any electronic cardholder data. This SAQ is not applicable to e-commerce merchants.

 

SAQ C-VT

 

1. The merchant must enter a single transaction at a time manually via a keyboard into an Internet-based virtual terminal (VT) that is hosted and provided by a validated PCI DSS Service Provider.
2. The merchant must not store any electronic cardholder data. This SAQ is not applicable for e-commerce merchants as it is for card present transactions.

 

SAQ P2PE-HWE

 

1. The merchant must be using only payment terminals that are managed by a PCI Security Standards Council listed P2PE (Point to Point Encryption) solution.
2. The merchant must not store any electronic cardholder data. This SAQ is not applicable for e-commerce merchants as it is for card present transactions.

 

SAQ D

(while this is listed as a single SAQ, there are 2 PCI SAQ D’s) 

For Merchants: – All the companies that do not fit in descriptions for the above SAQ types
Service Providers – Almost all Service Providers must complete a PCI Report on Compliance (PCI ROC). There are some exceptions to this where the payment brands allow a Service Provider to complete a SAQ.

As you can see, the list of SAQs is long and can be overwhelming on which one you should complete.

 

Guidelines to narrow down the appropriate SAQ

 

Here are a couple of guidelines you can use to help you choose the appropriate SAQ:

Card Not Present Transactions – SAQ A, SAQ A-EP, SAQ D
Card Present Transactions – SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ P2PW-HWE, and SAQ D
Service Providers – SAQ D

 

Ask your acquiring bank

 

If you aren’t sure, ask your Qualified Security Assessor or your acquiring bank. They are going to be the ones that can tell you without a doubt which SAQ is appropriate based on your environment. Eliminate the guesswork and confusion and get the answer from the source.

Contact us here for more information.