The Self-Assessment Questionnaires (SAQs)
The Self-Assessment Questionnaires (SAQs) for Payment Card Industry (PCI) compliance are tools to help businesses understand and validate their adherence to PCI Data Security Standards (DSS). These questionnaires are essential for smaller merchants and service providers who handle credit card transactions, as they help identify and correct security vulnerabilities. Here's an overview to help make sense of the SAQs and how they apply:
1. SAQ Types and Applicability
Each SAQ is designed for different payment processing methods and business environments. Choosing the correct one depends on how your business processes cardholder data. Here are the primary SAQ types:
- SAQ A: For merchants who fully outsource all card data functions to PCI DSS-compliant third-party providers and don’t electronically store or process cardholder data. Typically applies to e-commerce merchants using a fully hosted payment solution.
- SAQ A-EP: For e-commerce merchants who outsource payment processing to a third-party provider but have websites that affect the security of the payment transaction.
- SAQ B: For merchants using only standalone, dial-out terminals and not storing cardholder data electronically.
- SAQ B-IP: For merchants with IP-based point-of-sale (POS) systems and standalone terminals that connect over the internet.
- SAQ C-VT: For merchants who manually enter cardholder data via a virtual terminal on a computer that is isolated and dedicated to this purpose.
- SAQ C: For merchants with POS systems connected to the internet, who do not store cardholder data electronically.
- SAQ P2PE: For merchants using PCI-validated point-to-point encryption (P2PE) solutions, reducing their PCI scope by protecting card data.
- SAQ D: For businesses that don’t qualify for any other SAQ, typically larger entities or service providers that handle cardholder data in a more complex environment.