PCI Compliance
      Back to home
      1. Help Center
      2. PCI Compliance

      How to complete SAQ A

      SAQ A is a PCI compliance questionnaire designed for merchants who fully outsource all card processing to PCI DSS-compliant third-party providers and who do not electronically store or handle cardholder data in-house.

      How do I start? 

      Paystri has partnered with SecureTrust to provide you with the tools to complete the SAQ online, as well as schedule any necessary scans. You should receive an email when it's time to attest to your annual compliance.  You will need to log in to the SecureTrust Portal.

      If this is your first time completing your PCI SAQ, you will need to complete your business profile. You will only need to do this once, the information will be saved for you next year, and you can simply update it if something has changed. 

       

      Select Manage on the business profile section to begin. 

       

       

      You will be taken to a page detailing the next steps. Click Next until you are asked to pick an assessment method. Choose Expert then click Next.

       

       

      You will need to select your PCI DSS compliance assessment type. For Our School Hangouts merchants, choose type A for card-not-present merchants (e-commerce) that fully outsource all cardholder data functions to a PCI DSS validated third-party service.

       

       

       

      When asked if your compliance assessment requires scanning, answer by choosing "No."

       

       

      Third Part payment service providers

      When asked if your company shares cardholder data with third-party providers or uses more than one acquirer, select "No.".

      Next, it will ask if you enforce a minimum password length of seven characters. Answer "Yes."

       

       

       

       

      A summary of how and where you handle card payments

      When you arrive at the summary page, hover over the orange question marks for additional details on each description box. See below for some examples of what information to include. 

       

       

       

      Your next steps

      Once you've completed the above steps, your next step is to complete your PCI compliance questionnaire.

       

       

       

       

       

      Completing your Security Assessment Questionnaire

      The answers you provide on the business profile will determine which Self Assessment Questionnaire (SAQ) you need to complete. The answers you have already provided are used to fill out the SAQ as thoroughly as possible, though there are likely to still be a handful of questions you will need to answer.

       

      On your dashboard, under the Complete security assessment section, select Manage, then choose Answer Now. 

       

      The rest of the questions will will be about your specific business practices, computer use and security, and physical security. If you need clarification on a question, there will be a blue information box with additional details. You can also call SecureTrust at 1-800-363-1621 for assistance.

       

      Once you have completed the SAQ, you will need to attest to your compliance. Select: Confirm your attestation. 

       

      saq14

       

       

      What to Expect When Completing PCI SAQ A

      Completing the PCI DSS Self-Assessment Questionnaire (SAQ) A involves answering 24 questions divided into five sections. The SAQ A is designed for merchants who have outsourced all cardholder data functions to third-party service providers. You should be answering "yes," to most if not all questions indicating compliance with the PCI DSS requirements. Below is a guide on how to approach and why you should answer yes to each question.

       

       

      Question 2.2.2

      Why You Should Answer "Yes"

      • Changing Default Passwords: Prevents exploitation by securing accounts.
      • Removing or Disabling Unused Accounts: Reduces potential entry points for attackers.

      These actions minimize risks and ensure PCI DSS compliance.

       

       

       

       

      Question 3.1.1

      Why You Should Answer "Yes"

      • Documented: Ensures all policies and procedures are written down.
      • Kept Up to Date: Regular reviews and updates maintain relevance.
      • In Use: Active implementation in daily operations.
      • Known to All Affected Parties: Effective communication to all relevant personnel.

      These practices ensure effective data protection and PCI DSS compliance.

       

       

       

       

       

      Question 3.2.1

      Why You Should Answer "Yes"

      • All Locations: Policies cover all storage locations.
      • Sensitive Data: Addresses storage of sensitive authentication data (SAD) before authorization.
      • Limit Storage: Only store data as long as necessary.
      • Retention Requirements: Clearly define retention periods and justifications.
      • Secure Deletion: Ensure data is securely deleted when not needed, with quarterly verification.

      These practices minimize stored account data, reduce risks, and ensure PCI DSS compliance

       

       

       

       

      Question 6.3.1

      Why You Should Answer "Yes"

      • Identify Vulnerabilities: Stay informed using trusted sources like CERT alerts.
      • Assign Risk Rankings: Evaluate based on best practices and potential impact.
      • High-Risk Focus: Prioritize addressing high-risk or critical vulnerabilities.

      This approach ensures timely and effective vulnerability management, enhancing security and compliance.

       

       

       

       

      Question 6.3.3

      Why You Should Answer "Yes"

      • Install Quickly: Apply critical patches within a month to mitigate risks.
      • Regular Updates: Regularly update systems to protect against vulnerabilities.

      These practices maintain security and ensure PCI DSS compliance by promptly addressing vulnerabilities.

      .

       

       

       

       

      Question 8.2.1

      Why You Should Answer "Yes"

      • Unique ID Assignment: Ensures every user has a unique identifier.
      • Access Control: Helps track and control access, enhancing security and accountability.

      These practices maintain secure access and comply with PCI DSS requirements.

       

       

       

       

      Question 8.2.2

      Why You Should Answer "Yes"

      • Prevent Use: Restrict to exceptional circumstances only.
      • Time Limit: Limit usage duration to the specific need.
      • Document Justification: Record the business reason for use.
      • Management Approval: Obtain explicit approval from management.
      • Confirm Identity: Verify individual identity before granting access.
      • Attribution: Ensure all actions are traceable to a specific user.

      These practices ensure security, accountability, and compliance with PCI DSS.

       

       

       

      Question 6.3.1

      Why You Should Answer "Yes"

      • Immediate Revocation: Disable access as soon as a user is terminated.
      • Security: Prevent unauthorized access and protect sensitive data.

      Promptly revoking access maintains security and ensures PCI DSS compliance.

       

       

       

       

      Question 8.3.1

      Why You Should Answer "Yes"

      • Multi-Factor Authentication: Use one of the specified factors to authenticate access.
      • Enhanced Security: Ensures secure access and protects system components.

      Implementing these authentication factors strengthens security and ensures PCI DSS compliance.

       

       

       

       

      Question 8.3.5

      Why You Should Answer "Yes"

      • Unique Passwords: Ensure each password is unique at first use and reset.
      • Immediate Change: Require users to change passwords immediately after first use.

      These practices enhance security and ensure PCI DSS compliance.

       

       

       

       

      Question 8.3.7

      Why You Should Answer "Yes"

      • Password History: Enforce a policy preventing reuse of the last four passwords.
      • Enhanced Security: Prevents repeated use of old passwords, reducing the risk of compromise.

      Implementing this policy strengthens security and ensures PCI DSS compliance.

       

       

       

      Question 8.3.9

      Why You Should Answer "Yes"

      • Regular Changes: Change passwords every 90 days to reduce risk.
      • Dynamic Analysis: Use real-time security assessments to control access.

      Both methods enhance security and ensure PCI DSS compliance.

       

       

       

      Question 9.4.1

      Why You Should Answer "Yes"

      • Physical Security: Store all media containing cardholder data in a secure location.
      • Prevent Unauthorized Access: Use locked storage, access controls, and monitoring.

      These practices protect sensitive data and ensure PCI DSS compliance.

       

       

       

       

      Question 9.4.1.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Secure Storage: Keep offline backups in a secure, access-controlled environment.
      • Data Protection: Prevents unauthorized access and data breaches.

      Properly securing offline backups ensures data safety and PCI DSS compliance.

       

       

       

       

      Question 9.4.2

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Data Classification: Assign sensitivity levels to media based on the data it contains.
      • Appropriate Handling: Handle media according to its classification level.

      These practices enhance data protection and ensure PCI DSS compliance.

       

       

       

       

      Question 9.4.3

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Secure Transport: Use a secured courier or a trackable delivery method to send media.
      • Tracking: Ensure accurate tracking to prevent loss or unauthorized access.

      These practices protect cardholder data during transit and ensure PCI DSS compliance.

       

       

       

       

      Question 9.4.4

      Why You Should Answer "Yes"

      • Management Approval: Obtain management approval before moving media outside the facility.
      • Controlled Distribution: Ensure all movements are authorized to protect cardholder data.

      These practices ensure oversight and security, maintaining PCI DSS compliance.

       

       

       

       

      Question 9.4.6

      Why You Should Answer "Yes"

      • Secure Destruction: Use methods that ensure data cannot be reconstructed.
      • Secure Storage: Keep materials in secure containers until destruction.

      These practices ensure data is irrecoverable and maintain PCI DSS compliance.

       

       

       

       

      Question 12.8.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Maintain List: Keep an updated list of all TPSPs handling or affecting account data.
      • Service Description: Include a brief description of the services each TPSP provides.

      These practices ensure oversight and accountability, supporting PCI DSS compliance.

       

       

       

       

      Question 12.8.2

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Maintain Agreements: Ensure all TPSPs have signed agreements.
      • Acknowledge Responsibility: Include TPSP acknowledgment of their responsibility for securing account data.

      These practices ensure clear responsibilities and PCI DSS compliance.

       

       

       

       

      Question 12.8.3

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Engagement Process: Implement a structured process for engaging TPSPs.
      • Due Diligence: Conduct thorough due diligence before engaging any TPSP.

      These practices ensure the security and compliance of TPSPs with PCI DSS requirements.

       

       

       

      Question 12.8.4

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Annual Monitoring: Check TPSPs' PCI DSS compliance annually.
      • Ongoing Compliance: Ensure TPSPs maintain required security standards.

      These practices maintain oversight and ensure ongoing PCI DSS compliance.

       

       

       

       

      Question 12.8.5

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Annual Monitoring: Check TPSPs' PCI DSS compliance annually.
      • Ongoing Compliance: Ensure TPSPs maintain required security standards.

      These practices maintain oversight and ensure ongoing PCI DSS compliance.

       

       

       

       

      Question 12.10.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Preparedness: Ensure an incident response plan is in place and ready.
      • Clear Roles: Define roles, responsibilities, and communication strategies.
      • Detailed Procedures: Include specific procedures for containment, mitigation, recovery, and backups.
      • Legal Compliance: Analyze and include legal reporting requirements.
      • Comprehensive Coverage: Ensure all critical systems are included.
      • Payment Brands: Reference or include procedures from payment brands.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.