Different types of SAQs
There are different types of SAQs available for various business environments. In some cases, an additional Attestation of Compliance (AoC) is needed. This is a document signed by a certified Qualified Security Assessor (QSA).
It can be confusing to find out whether an organization needs a ROC, or if an SAQ would be sufficient. The selection criteria are based on the risk of possible frauds involved for each type of business. Depending on the type of technology that your business implements to carry out the payment transactions, a corresponding type of SAQ needs to be completed. If you are in doubt, you can contact your merchant bank (acquirer), your card branch or a certified QSA can help out to determine this and determine which SAQ would be applicable for your organization.
We explain about the different SAQ types in the table below:
If a merchant does not electronically store the data of the cardholder and only keep that information in paper-printed documents, some options provided by the SAQs A, B or C should be used.
Keep in mind
- We recommend that you only store documents with cardholder data when it is really required and justified by the business. It will reduce the risk of your company.
- The SAQs must be completed by a company representative but you may need help from a QSA. A QSA has the experience of evaluating requirements and will be able to advise you to understand and correctly complete each of the requirements in the context of your business.
- As with traditional PCI-DSS audits, it must be repeated annually.
If you would like any clarification on the information here, please visit the official PCI website.
About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience. For more information about SAQ and PCI please feel free to contact Natalia.