PCI DSS SAQ

Self-Assessing Your Card Data Security

Every organization that handles payment card data is required to comply with the Payment Card Industry Data Security Standard (PCI DSS).

For organizations with a low transaction volume, the required annual assessment is completed through a survey called a PCI self-assessment questionnaire (SAQ).

truvantis-pci-dss-saq

An Important Requirement for Merchants

One of the simplest types of PCI DSS validation, the SAQ, can still be daunting. Many businesses just don’t know about this annual requirement until they receive intimidating letters and warnings of fines from financial institutions. 

Even once you realize you need to complete an SAQ, it can be hard to know where to start, which SAQ is correct for you or how the process works. 

If you accept card payments from your customers, there’s no way to avoid proving that you comply with the PCI DSS security standard. For low transaction businesses, that means an annual self-assessment. 

What may seem like a formality is an important step in ensuring your business is protecting your cardholder’s most sensitive personal and financial data. 

If your cardholder data is compromised or breached, your business can face penalties, fines and more. For your customers, it can mean years of financial issues, bad credit and even identity theft. For your organization, it can be a PR and brand reputation nightmare.

The bottom line: Skipping your SAQ is never worth the risk or consequences.

truvantis-pci-dss-saq-qsa

We’re Here to Help

Truvantis can help you to understand your SAQ requirements in plain English, with honest help for people without a technology background.

Our team of certified Qualified Security Assessors (QSAs) is here to answer your questions and help you to make the smart decisions that will fulfill your requirements and keep your data secure. Whether you need assistance completing the entire survey or just have questions, we can assist you with this important document in whatever capacity you require.

Common SAQ Questions and Concerns

We’re PCI experts and have published comprehensive guides on the security standard for businesses of all sizes. Explore the information below for many of the most common questions and concerns from organizations preparing to complete their SAQ for the first time.

Which SAQ Do You Need to Complete?

Different SAQ forms exist to address different data security environments and different types of organizations. Use the following descriptions to decide which SAQ best fits your situation.

SAQ TYPES

SAQ A: Covers merchants who perform "card-not-present" transactions. Examples include ecommerce, mail-order, or telephone-order merchants. These organizations have typically outsourced the storage of cardholder data to third party processors. They do not store, process, or transmit any cardholder data in-house. Face-to-face channels do not qualify.
 
SAQ A-EP: Applies to ecommerce websites that outsource payment processing and do not receive cardholder data directly on their website, but whose site can still impact the security of the transaction.
 
SAQ B: Merchants who use only imprint machines and store no cardholder data electronically may qualify for SAQ B. This also applies to dial-out, standalone terminals that store no cardholder data. No ecommerce merchant is eligible for SAQ B.
 
SAQ B-IP: Some PTS-approved standalone payment terminals connect directly to the payment processor by IP, storing no cardholder data. SAQ B-IP applies to them. Again, no ecommerce merchants meet this standard.
 
SAQ C-VT: SAQ C-VT applies to merchants who process transactions by manually entering credit card details for each transaction into a virtual payment terminal connected to the Internet, provided and hosted by a third-party service provider validated as compliant with PCI DSS, with no cardholder data stored. No ecommerce businesses qualify.
 
SAQ C: Merchants whose payment terminals connect to the Internet but store no data onside may use SAQ C. Again, ecommerce businesses cannot use this SAQ.
 
SAQ P2PE: Used by merchants who use payment-terminal hardware included in and managed by a P2PE (point-to-point encryption) service provider, validated as PCI SSD compliant, with no cardholder data stored. No ecommerce businesses qualify.
 
SAQ D: Any merchants who do not fit the above-listed qualifications must use SAQ D.
 

For some businesses, it’s unclear which SAQ applies best. Truvantis can help determine which SAQ is right for you. 

What Does the PCI DSS Self-Assessment Questionnaire entail?

The SAQ (self-assessment questionnaire) includes:

  • Instructions and Guidelines
  • Frequently Asked Questions
  • Self-Assessment Questionnaires
  • Attestations of Compliance
  • PCI DSS Security Procedures and Requirements
  • Information Supplements
  • General FAQ
  • Glossary of Terms, Abbreviations, and Acronyms

Strategies for a Successful SAQ

Regardless of which SAQ you’re using, the same strategies for PCI DSS compliance success can help you to prepare, while securing your cardholder data environment.

  1. Don’t Store Sensitive Authentication Data

    Never store this data after authorization. This includes PIN numbers, PIN blocks, magnetic stripe or chip contents, and codes and values used for card verification.
  2. Review Point of Sale Technology

    Speak to your POS service provider about the security of your hardware and software. Ask about default settings, remote access, unnecessary or insecure services leftover from installation, treatment of sensitive authentication data, the security of primary account numbers, documentation of files written by the software, password enforcement, patches and updates, logging capability, and sensitive data stored in prior versions. Ideally, use a P2PE certified solution - but check the certification on the council’s website.
  3. Delete Cardholder Data

    If you don't need it, delete it. Understand when and why you store any data. Eliminate any illegitimate or redundant storage practices. Data that you do need should be consolidated and isolated in an effort to limit the scope of PCI DSS compliance, as well as overall security risks.
  4. Implement PCI DSS Controls

    Start following all controls recommended by PCI DSS.
  5. Get Professional Assistance

    Enlist the help of a certified QSA to prepare or perform your assessment for the first time.

Expert Help to Make Your SAQ Painless 

The SAQ is designed for organizations to simply self-assess their cardholder data security every year.

In reality, it can be hard to get it right even if you have a background in cybersecurity.

Whether you need a partner for the entire process or just have questions, Truvantis is a certified QSA and we’re here to help you get it done right.