Choosing the Right PCI DSS SAQ

The PCI Self-Assessment Questionnaire (PCI SAQ) is a statement by merchants and service providers of PCI compliance. It is also a way to demonstrate that you have taken the necessary security measures to keep and process cardholder data safe in your business.

PCI Self-Assessment Questionnaires are not just a compliance guide; it is an advanced guide for security. The easiest way to make sure you don’t miss any security requirements is to populate a PCI SAQ.

See Also: PCI DSS SAQ What to Know, and What to Do

Also, the primary entities that process the transaction do not want to deal with vulnerable businesses. Therefore they generally want each merchant to have a PCI SAQ as proof of payment security.

Which PCI SAQ is right for me?

“Which SAQ is right for me?” When you ask, there are a total of 9 different SAQs that member businesses and service providers can choose. Mainly how you handle credit cards and how you manage cardholder data will decide which SAQ your company should complete.

Each SAQ contains a set of security requirements that businesses must review and comply with. The length of the PCI SAQs and the number of questions vary by type. For example, SAQ A is the shortest with only 24 questions. Besides, the longest one is SAQ D, with 328 questions.

For example, if you do not have a store and all your products are sold online by a third party, it is possible to apply to SAQ A or SAQ A-EP. If you are an online retailer that accepts credit cards and you also store credit card information for your customers, you should probably contact PCI SAQ D.

There are 8 PCI SAQs for merchants and one PCI SAQ for service providers. The large number of SAQs makes it a little challenging to choose the right one. Choosing the wrong SAQ can void your compliance and expose your organization to more significant risks of payment card data breaches.

So let’s try to simplify this a little bit with step-by-step instructions. First, let’s continue with an overview of all SAQ options.

Each PCI SAQ contains a list of security requirements that will be checked and enforced by organizations. Since there are nine types of SAQ in total, it may take some time to understand and learn all of them. That’s why we created a table of SAQ options to summarize and simplify the SAQ types:

After reviewing the chart, we will give some suggestions and advice on how to use its output correctly.

SAQ TypeEligibility CriteriaCard Payment Acceptance ChannelsDifficulty
SAQ ACard-not-present Merchants, All card holder data functions fully outsourced.Card-not-present only: Mail order / Telephone order (MOTO) and e-commerceEasy (24 Questions)
SAQ A-EPPartially outsourced e-commerce retailers for the processing
of payments via a third party platform.
Card-not-present only: e-commerceDifficult (192 Questions)
SAQ BMerchants using only: Imprint machines and electronic point-of-sale (POS) device.Card-present and Card-not-present: brick and mortar and MOTOEasy (41 Questions)
SAQ B-IPMerchants using only standalone PIN Transaction Security (PTS) devices approved payment terminals with an IP connection.Card-present and Card-not-present: brick and mortar and MOTOAverage (87 Questions)
SAQ CMerchants with payment application systems connected to internetCard-present and Card-not-present: brick and mortar and MOTODifficult (161 Questions)
SAQ C-VTMerchants with web based virtual terminals.Card-present and Card-not-present: brick and mortar and MOTOAverage (84 Questions)
SAQ P2PEMerchants using only hardware payment terminals in a PCI listed P2PE solution.Card-present and Card-not-present: brick and mortar and MOTOEasy (34 Questions)
SAQ D Merchant and Service ProviderAll other SAQ Eligible merchants and SAQ Eligible service providersCard-present and Card-not-present: brick and mortar, MOTO and e-commerceExtreme (328 questions for merchants; 370 questions for service providers)
PCI DSS 3.2.1 SAQ types

Below are a visual guide and flowchart for choosing which SAQ type will best apply to your environment. Proceed by answering yes or no to the questions in the chart. Finally, the SAQ option that will appear according to your answers will be the most appropriate SAQ for your environment.

how to choose right pci saq
how to choose right pci saq

Suppose you are a service provider and qualify for SAQ verification. In that case, your choice is easy because only service providers can use SAQ D. It should not be forgotten that an institution can be both a merchant and service provider. Therefore, it is not unusual to be a service provider that provides transaction processing services to other merchants and is also a merchant.

If you are a merchant and qualified to validate SAQ, the relevant SAQ form must be listed separately for each card acceptance channel you have. Card acceptance channels can be listed as card transactions (physically), transactions without MOTO card (mail order/phone order), or e-commerce systems.

The first question you have to answer is whether you store cardholder data electronically, including old data. If your answer is yes, then you don’t need to spend time searching the various SAQ forms; SAQ D will be suitable for you.

See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?

The next step is to evaluate your company requirements for processing cardholder data in your environment. SAQ D is the most complex SAQ option. If you can prevent the storage of cardholder data in your environment, you can significantly reduce the requirements you have to complete by undertaking one of the other SAQ options.

It would be best if you considered each card payment channel separately. Let’s start with e-commerce first. If you are performing your transactions through e-commerce, you can apply for SAQ A, SAQ A-EP, or SAQ D only.

You should read the eligibility requirements carefully to decide on the SAQ form that suits your environment. Generally, e-commerce vendors using URL Redirection or iFrame approaches can apply for SAQ A.

E-commerce merchants using the HTTP Post Method (DPM) or JavaScript Form will be eligible for SAQ A-EP. And e-commerce vendors using an API method or some other method must comply with SAQ D.

SAQ options that may be suitable for MOTO (Mail Order / Telephone Order) transactions are as follows:

  • SAQ A – All tasks related to cardholder data are transferred to a fully PCI DSS compliant service provider.
  • SAQ B – Operations are performed using stand-alone or printed dial-up machines/terminals that do not have an Internet connection.
  • SAQ B-IP – Certified PTS devices are used with an Internet connection.
  • SAQ C – Transactions are executed on your system via an internet-connected payment application.
  • SAQ C-VT – Operations are performed using a web browser-based virtual terminal solution.
  • SAQ P2PE – Transactions accepted using the P2PE Solution specified in PCI SSC.
  • SAQ D – If you are not eligible for any of the above SAQ types.

SAQ options that may be suitable for card-present transactions (retail stores or merchants that perform card transactions in physical structure) are as follows:

  • SAQ B – Operated using stand-alone or printed dial-up machines/terminals that do not have an Internet connection.
  • SAQ B-IP – Certified PTS devices are used with an Internet connection.
  • SAQ C – Transactions are carried out on your system via an internet-connected payment application.
  • SAQ C-VT – Transactions are performed using a web browser-based virtual terminal solution.
  • SAQ P2PE – Transactions are performed using the P2PE Solution specified in PCI SSC.
  • SAQ D – If you are not eligible for any of the above SAQ types.

You must meet all eligibility requirements for the SAQ option you are targeting, but in some cases, this may not be easy to achieve. Therefore, we recommend that you seek guidance from your acquiring organization or QSA when in doubt.

For example, SAQ C and C-VT are incredibly difficult to interpret when it comes to eligibility criteria in an environment using network segmentation.

Also, when accepting phone payments, you should remember to save voice recordings that may contain cardholder data. Recording phone calls will force you to select the SAQ D option automatically. Phone payments can be misleading because you need a thorough understanding of the technology you use.

For example, if a company providing voice access over IP uses the same network for payment transactions, it is necessary to thoroughly understand and evaluate the environment to determine the SAQ type.

After defining the types of SAQs available to each of the acceptance channels for your card payment transactions, you need to check whether you need to fill in separate SAQs for each channel. For this, you can always contact the buyer with your bank or your QSA.

In general, an agreement can be reached to fill out an SAQ for card acceptance channels such as SAQ A for electronic commerce, SAQ P2PE for physical card transactions, and SAQ C-VT for card-not-present transactions. Completing these three SAQs is much easier than filling out an SAQ D.

Before choosing the appropriate SAQ for your environment, creating your network topology, card data flow diagrams, and system inventory for PCI DSS compliance will make the SAQ selection process much more manageable. Although these requirements are not specified in SAQ A, A-EP, B, B-IP, C, C-VT, and P2PE, they are essential information to show that you are doing scoping correctly.

Choosing the right PCI DSS SAQ is very important in self-assessment. Often, organizations will find that they do not meet all the eligibility criteria for the SAQ they want to complete and that they are imposed on all PCI DSS requirements.

In such cases, engaging and consulting the PCI QSA will provide valuable assistance in deciding which SAQ is the most appropriate and reducing the scope of your CDE. Besides, an SAQ signed by a QSA will also have significantly greater credibility.

Remember that regardless of your SAQ type, you must comply with all PCI DSS requirements. Compliance with all PCI DSS requirements may require vulnerability scans, penetration tests, or audits.

You can check the PCI SSC Document Library to Understand PCI SAQ types and SAQs.

Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

1 COMMENT

Comments are closed.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!