The Self-Assessment Questionnaires (SAQs) are validation tools designed to help merchants and service providers report on the results of their compliance with PCI DSS. It can be used by eligible organizations who self-assess their PCI DSS compliance, and who are not required to do a full PCI DSS audit and submit a Report on Compliance (ROC).

Different types of SAQs

There are different types of SAQs available for various business environments. In some cases, an additional Attestation of Compliance (AoC) is needed. This is a document signed by a certified Qualified Security Assessor (QSA).

It can be confusing to find out whether an organization needs a ROC, or if an SAQ would be sufficient. The selection criteria are based on the risk of possible frauds involved for each type of business. Depending on the type of technology that your business implements to carry out the payment transactions, a corresponding type of SAQ needs to be completed. If you are in doubt, you can contact your merchant bank (acquirer), your card branch or a certified QSA can help out to determine this and determine which SAQ would be applicable for your organization.

We explain about the different SAQ types in the table below:

SAQs description

If a merchant does not electronically store the data of the cardholder and only keep that information in paper-printed documents, some options provided by the SAQs A, B or C should be used.

Keep in mind

  1. We recommend that you only store documents with cardholder data when it is really required and justified by the business. It will reduce the risk of your company.
  2. The SAQs must be completed by a company representative but you may need help from a QSA. A QSA has the experience of evaluating requirements and will be able to advise you to understand and correctly complete each of the requirements in the context of your business.
  3. As with traditional PCI-DSS audits, it must be repeated annually.

If you would like any clarification on the information here, please visit the official PCI website.

About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience. For more information about SAQ and PCI please feel free to contact Natalia.