Jul 25 2022

PCI DSS: Which PCI SAQ is Right for My Business?

Category: pci dssDISC @ 12:25 pm

Organisations that fall within Levels 2ā€“4 of theĀ PCI DSS (Payment Card Industry Data Security Standard)Ā can attest to compliance with an SAQ (self-assessment questionnaire).

You will fall into one of those levels if your organisation processes fewer than six million card transactions per year.

There are several types of questionnaire, and in this blog we help you understand which one is right for you.

What is a PCI SAQ?

Organisations that are subject to the PCI DSS must demonstrate that they have taken appropriate steps to secure the payment card data that they hold.

There are two ways to do this: with a PCI SAQ or an RoC (report on compliance). Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own requirements, so they establish the eligibility criteria for SAQ or RoC.

The PCI SAQ is the less rigorous method and is typically used for organisations that process fewer than six million transactions annually.

Once itā€™s completed, the PCI SAQ is signed off by an officer of the merchant or service provider, validating the organisationā€™s compliance practices.

PCI SAQ types

There are several types of PCI SAQ that apply in certain circumstances. Itā€™s essential that organisations choose the correct assessment. They are as follows:

SAQ A

For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants. 

It applies where: 

  • The merchantā€™s website is hosted and managed by a PCI-compliant third-party payment processor; or 
  • The merchantā€™s website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor. 

Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.

SAQ A-EP

For e-commerce merchants that donā€™t receive cardholder data but do control the method through which data is redirected to a third-party payment processor. 

It applies where: 

  • The merchantā€™s website creates a payment form and ā€œdirect postsā€ payment data to a PCI-compliant third-party payment processor; or 
  • The merchantā€™s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website. 

SAQ B

For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal. 

Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant. 

Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchantā€™s standalone dial-out terminal must be connected to a phone line and nothing else. 

SAQ B-IP

For merchants that donā€™t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.

SAQ C-VT

For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function. 

SAQ C

For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet. 

To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and donā€™t store electronic cardholder data. 

SAQ D

For those that donā€™t fit into any of the above categories. It is often referred to as ā€˜Report on Compliance Lightā€™, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale. 

There are separate forms for merchants and service providers. 

SAQ P2PE-HW

For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce. 

Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW. 

Identify the right SAQ with IT Governance

Hopefully youā€™ve now identified which SAQ applies to you, but how do you go about completing the form?

Thatā€™s where ourĀ PCI DSS Documentation ToolkitĀ can help. It contains all the template documents you need to ensure complete coverage of your PCI DSS requirements.

All you need do is fill in the sections that are relevant to your organisation.

The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

Itā€™s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.

PCI DSS Subscription Program

PCI DSS: An Integrated Data Security Standard GuideĀ 

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: pci dss, PCI SAQ