Choosing the Right SAQ for Your Business
As you look to achieve and maintain PCI DSS compliance, selecting the appropriate Self-Assessment Questionnaire (SAQ) is crucial. The SAQ you need depends on how your business handles cardholder data during transactions.
What is a Merchant in PCI DSS?
PCI DSS refers to organisations that are required to achieve PCI compliance as “merchants”, service providers, and acquirers(banks). All are required to achieve and maintain PCI compliance. According to PCI DSS guidelines, a merchant is any organisation that processes payment card transactions, whether online (e-commerce), at a physical payment terminal, or via phone/mail order.
In addition, PCI DSS also covers service providers, who process payments on an organisation’s behalf.
An organisation can be both a service provider and a merchant. For example, an Internet Service Provider (ISP) accepts payment cards for monthly billing (merchant), and also hosts merchants as customers (service provider).
Which SAQ Should Your Organisation Take? A Guide to the Different SAQ Types
There are a number of different SAQ types. Each has different scope, considerations and requirements. The most appropriate SAQ for you will depend on your environment.
Below is a guide to help you determine the right SAQ for your organisation:
For Merchants that Don’t Store Cardholder Data:
The following SAQ types apply to merchants that don’t store, process or transmit account data (ie. customers’ payment details) electronically on their own systems. Any account data associated with transactions is handled by a third-party payment solutions provider. These merchants may still keep physical records of account data such as in printed reports or receipts.
e-commerce merchants
The following SAQ types apply to merchants that only handle transactions where a card is not physically present – which is typical of e-commerce where the merchant does not handle account data. However, these SAQ types also apply to merchants that process payments via mail order or phone order.
SAQ A
SAQ A is designed for merchants who do not store, process, or transmit cardholder data on their systems but instead outsource all payment processing functions to third-party PCI DSS-compliant service providers.
The simplest SAQ, it allows your organisation to self-assess its PCI compliance. A SAQ A consists of a set of questions designed to assess your organisation’s security posture in line with PCI DSS requirements.You also will soon have an obligation to have quarterly Vulnerability (ASV) scans and Stratica can arrange these. Refer to another newsletter about to issue on this important change with an SAQ A. All other SAQ types already require ASV Vulnerability scans.
SAQ A-EP
SAQ A-EP applies to merchants that outsource all payment processing to PCI DSS validated and compliant third parties, except for the page that collects account data (e.g., hosting a payment page). ASV vulnerability scans are also required each quarter.
Brick-and-mortar merchants
SAQ B
SAQ B applies to merchants that process card transactions using simple card processing devices that are not connected to the internet (such as physical imprint machines or standalone, dial-out terminals that connect to the merchant processor via a phone line). The lack of an internet connection reduces the risk of cyber criminals intercepting transactions and compromising cardholder data.
SAQ B-IP
SAQ B-IP applies to merchants that process via PCI-approved PIN Transaction Security (PTS) Point of Interaction (POI) devices that connect to the payment processor via Internet Protocol (IP).
SAQ C
SAQ C applies to merchants that process transactions using internet-connected payment applications (such as Point-of-Sale) systems to process transactions.
SAQ C-VT
SAQ C-VT applies to merchants that process payments using virtual terminal solutions that are provided and hosted by a PCI-approved compliant third party. The payment terminal solution must only be accessible via an isolated device (i.e, not connected to your organisation’s other systems) connected to the internet.
SAQ P2PE
SAQ P2PE applies to merchants that process transactions using PCI-approved Point-to-Point Encryption (P2PE) solutions. These solutions ensure cardholder data is encrypted from the point of entry to the processor, which minimises the risk (and potential impact) of a data breach.
For Merchants that Store Cardholder Data
The following SAQ types apply to merchants that store, process or transmit cardholder data (ie. customers’ payment details) electronically on their own systems. Of course, this SAQ type applies to service providers that store account data on behalf of merchants.
SAQ D
SAQ D is the most comprehensive and applies to merchants and service providers who do not meet the criteria for other SAQ types. These merchants typically handle, process, or store payment card data directly and require robust security controls.
What if multiple SAQs Apply to My Organisation?
If your organisation falls under multiple SAQ types (For example, if you have a physical retail store and an e-commerce store), you will need to complete a consolidated SAQ that incorporates all relevant requirements. You do not need to take multiple SAQs.
What is an AoC and Why Do I Need it?
An Attestation of Compliance (AoC), is a formal document that attests to your PCI Compliance, signed by your organisation or a Qualified Security Assessor firm (such as Stratica).
Organisations receive an AoC upon successful completion of an SAQ.
Do I need a QSA to complete an SAQ?
No, you don’t need a Qualified Security Assessor (QSA) to complete an SAQ. It’s designed to be a self-assessment. However, QSAs are experts in PCI DSS and can provide valuable guidance, especially for businesses with complex payment systems or small businesses with limited security knowledge and/or resources. A QSA can make the completion of the forms more efficient and ensure your are complying with your applicable PCI requirement obligations.
In addition to providing support and expert guidance, a QSA offers an independent assessment, giving you confidence in your PCI compliance efforts.
How Often do I Need to Complete an SAQ?
You must complete an SAQ (Self-Assessment Questionnaire) annually. You must also ensure you obtain quarterly ASV vulnerability scans.
However, you can complete an SAQ as often as you like, and it’s recommended to do so to maintain a robust security posture, and proactively manage risk, such as those arising from changes to your environment.
The SAQ Process
Determine the Right SAQ: Firstly, you figure out which SAQ applies to your business.
Complete the Questionnaire: You fill out the SAQ. It’s a list of questions about your security practices. You’ll need to answer honestly and accurately.
Validate Compliance: As you fill out the SAQ, you’ll need to make sure your systems and processes actually meet the requirements. This might involve checking your network security, reviewing your data storage practices, and making sure your staff are trained on security procedures.
Document Everything: Keep records of everything you do throughout the SAQ. This includes your completed SAQ, any supporting documentation (such as network diagrams or security policies), and evidence that you’ve implemented the required security controls.
Complete an Attestation of Compliance (AoC): Once you’ve completed the SAQ and validated your compliance, you must fill out an Attestation of Compliance (AoC).
Submit to Your Financial Institution: You submit your completed SAQ and AoC to your acquiring bank (the bank that handles your credit card transactions).They may also ask you to provide yor most recent ASV Vulnerability scan. Again Stratica can assist.
Maintain Compliance: PCI DSS compliance isn’t a one-time-thing. That’s why it’s important to keep your security practices up-to-date and regularly review your compliance.
It’s essential to assess your payment processing environment accurately to determine the correct SAQ. For detailed guidance on how to ensure compliance, it’s best to consult with a PCI Qualified Security Assessor (QSA).
To discuss a tailored approach to achieving and maintaining PCI compliance, Stratica’s expert team can help. To get started, contact us for a complimentary security review.