Which SAQ is Right for Your Situation?

Author: Alex Douds

PCI complianceThe PCI Self-Assessment Questionnaire (SAQ) is a list of questions used to assess compliance with the requirements of the PCI DSS. The SAQ process is basically a validation tool for merchants and service providers that are not required to do an on-site data security assessment. Any oversight in the SAQ process puts the entire PCI compliance effort at risk, so having a QSA assist or consult on a self assessment is a common PCI risk mitigation strategy used by many small to mid-size merchants and service providers. PCI DSS standards can be very complex and difficult to negotiate for any organization, but particularly for smaller organizations with limited IT staff and resources. Even when a QSA review is not mandatory, organizations often seek the advice of a QSA in order to ensure that everything in the SAQ has been completed correctly.

PCI security standardsThere are multiple versions (A, B, C, D) of the PCI DSS SAQ to meet various business situations. The most comprehensive of these – Version D - .for merchants who store cardholder data on their computer systems – requires answers to over 220 questions

A brief overview follows:

 

SAQ VALIDATION TYPE

DESCRIPTION

SAQ

1

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

A

2

Imprint-only merchants with no electronic cardholder data storage

B

3

Merchants with web based virtual terminals, no electronic cardholder data storage

C-VT

4

Merchants with POS systems connected to the Internet, no electronic cardholder data storage

C

5

All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

D

PCI

 

If you are a merchant, it’s important for you to understand whether or not you need to conduct on a site assessment in order to get into PCI DSS compliance, or whether you can use a self evaluation process. If you can self evaluate, it’s then important to understand which SAQ process is the right one for your situation.

Need more information about how you can get in compliance with PCI Data Security Standards or the compliance process that’s right for you? Contact us here. Or call Larry Hessney at 585-360-1480.