What is a PCI SAQ (Self-Assessment Questionnaire)?
- Every merchant that handles cardholder data is required to be PCI DSS (Payment Card Industry Data Security Standard) compliant. PCI DSS ensures that cardholder data remains secure by following basic security standards.
- PCI DSS requirements must not only be followed, but annually validated through an internal or external audit. For companies that qualify for an internal audit, they will be required to submit a PCI DSS Self-Assessment Questionnaire (SAQ).
- There are multiple different SAQ types. Merchants will need a cursory understanding of each type in order to choose the right questionnaire to fill out.
What is a PCI DSS SAQ?
A PCI DSS SAQ is a tool for validating PCI compliance for merchants that are not required to submit a PCI DSS Report on Compliance (ROC). Merchants with fewer annual transactions will be able to submit an SAQ, while larger merchants will have to go through the lengthier ROC process. SAQs are a tool for “smaller” merchants to both examine their payment security and officially report their PCI compliance.
Which merchants report compliance via SAQ? That depends on a merchant’s PCI Level. If you’re not sure what your PCI level is, or whether you should fill out an SAQ or an ROC, refer to the table below.
|PCI DSS Level||Level Criteria||ROC or SAQ?|
|Level 1||A merchant who processes over 6 million transactions annually||ROC|
|Level 2||A merchant who processes 1 to 6 million transactions annually||ROC or SAQ|
|Level 3||A merchant who processes 20 thousand to 1 million transactions a year||SAQ|
|Level 4||A merchant who processes less than 20 thousand transactions a year||SAQ|
For merchants who choose to fill out an SAQ, the questionnaire will go through the requirements of PCI DSS and ask “yes/no” questions about the merchant’s payment and security systems.
SAQs are approximately 20 pages in length and may require supplemental answers or worksheets based on a merchant’s answers. For example, merchants who answer “no” on important requirements must also explain the remediation in process to fix the issue.
The first step to filling out a PCI SAQ is finding the correct version of the SAQ for your company, so that’s what we’ll look at next.
Finding the Correct PCI Self-Assessment Questionnaire
Before your company begins working through a PCI SAQ, it’s important that your company has found the right SAQ document for its needs. There is no “general” Self-Assessment Questionnaire that any company can use. SAQs ask niche and in-depth questions, so merchants are seperated into different general catagories to avoid excessive irrelevant questions. Many questions for an ecommerce merchant, for example, won’t apply to a traditional brick-and-mortar store, so they’ll fill out different SAQs.
Finding the right SAQ isn’t intuitive, so we’ve created the table below to explain the differences between them all.
|PCI SAQ Levels||Description||Exceptions|
|SAQ A||Ecommerce merchants that have fully outsourced all cardholder data functions to a third party.||Not applicable to face-to-face transactions.|
|SAQ A-EP||Ecommerce merchants who have outsourced payment processing to a third party, but still have websites that impact the security of payment transactions, even though it doesn’t directly receive cardholder data.||Not applicable to face-to-face transactions.|
|SAQ B||Merchants that use only imprint machines and/or standalone dial-out terminals (no electronic cardholder data storage).||Not applicable to ecommerce.|
|SAQ B-IP||Merchants using only PTS approved payment terminals with IP connections to the payment processor (no electronic cardholder data storage).||Not applicable to ecommerce.|
|SAQ C-VT||Merchants who manually enter transactions via keyboard into a virtual payment terminal hosted by a third party (no electronic data storage).||Not applicable to ecommerce.|
|SAQ C||Merchants with payment applications connected to the internet (no electronic data storage).||Not applicable to ecommerce.|
|SAQ P2PE||Merchants using validated PCI SSC listed Point-to-Point Encryption payment terminals (no electronic data storage).||Not applicable to ecommerce.|
|SAQ D for Merchants||All merchants not included in the above categories.||Not applicable to Service Providers|
|SAQ D for Service Providers||All service providers eligible to complete an SAQ.||Not applicable to Merchants|
Your company is responsible for meeting all of the PCI DSS requirements that apply to your specific payment environment. If your company is filling out an SAQ that does not cover any PCI DSS requirements specific to your environment, double check to ensure you’re filling out the right SAQ. If you’re looking for a more in-depth description of each SAQ, read the full PCI DSS SAQ Guide here.
How to Fill out the SAQ
After you’ve identified the right SAQ for your business, you can download and begin filling out the SAQ. SAQs are simple in concept, but rarely simple in execution. Make sure you start this process with plenty of time before your company’s deadline in case complications arise. Verification methods and expected testing procedures will be explained for each question, so take a quick scan of the SAQ questions at the beginning of the process to reserve enough time to complete all these requirements.
If your company relies on any compensating controls to meet a PCI DSS requirement, you will need to fill out compensating controls worksheets and submit them along with your SAQ. Also note that your company may be required to run penetration testing or vulnerability scans to assess your company’s cybersecurity weaknesses.
Tips for Simplifying the SAQ PCI Process
Even for companies that handle less than six million transactions a year, verifying PCI compliance through an SAQ can be complex. With the right tools, accurately assessing and reporting your PCI compliance doesn’t have to be a pain. If you have a particularly complex payment system, or want expert help, consider hiring a QSA (Qualified Security Assessor). QSAs are certified by the PCI Council to assist merchants and service providers with their PCI compliance verification process.
To reduce the complexity of your SAQ, and radically increase the security of your cardholder data, also consider tokenization tools, like TokenEx. Tokenization reduces the scope of an SAQ audit by securely storing data outside of internal systems. Representations of the original data, called tokens, remain within internal systems to preserve the data’s functionality.
Tokenization revolutionizes data protection by leaving no data inside internal systems for hackers to steal. Additionally, the lack of cardholder data means that the scope of a PCI audit, whether it be a ROC or SAQ, is greatly diminished. If you’re interested in outsourcing cardholder data security and reducing compliance burdens, check out our free PCI compliance guide, or learn more about tokenization below.