What is an SAQ (Self-Assessment Questionnaire)?

As a merchant or service provider processing card transactions, you must ensure your security standards meet the Payment Card Industry Data Security Standard, or PCI DSS. In some cases, you can attest to your compliance with an SAQ, or Self-Assessment Questionnaire.

In this guide, we explore what SAQs entail, who needs to complete them, and what to expect when filling them out.

What is PCI SAQ?

A PCI SAQ is a self-assessment questionnaire completed by many businesses to ensure their security measures are compliant with PCI DSS standards.

A PCI SAQ is a PCI DSS assessment that includes a series of questions to determine the compliance you need to follow, and includes an AOC, or Attestation of Compliance, which confirms whether or not you have met those standards.

Ultimately, your SAQ determines what parameters your card security processes need to follow, and whether or not you’re in breach. After completing an SAQ and AOC, you submit both to your payment brand, or any other requester.

We recommend our users look carefully through the SAQ requirements and types before they proceed with any scanning and checks.

Who Must Complete an SAQ

Service providers and merchants that process fewer than six million card transactions per year are eligible to complete an SAQ.

Generally, businesses processing more than six million annual transactions are deemed level one organizations (i.e., riskier) in the PCI DSS compliance hierarchy (as generally followed by payment card brands) and therefore are not eligible to complete an SAQ. Rather, level one organizations must undergo a full PCI DSS Assessment by a Qualified Security Assessor (QSA) and complete a Report on Compliance (ROC).

We always advise customers to check the levels set by their specific payment card brands before they choose an SAQ.

Types of PCI DSS SAQs and How to Choose the Right SAQ

As of PCI DSS V4.0.1, there are ten types of PCI DSS SAQs, each tailored to different merchant and service provider environments. SAQ A and A-EP apply to card-not-present merchants outsourcing payment processing; B and B-IP are for merchants using standalone terminals without storing data; C and C-VT cover internet-connected and virtual terminal setups, respectively. SAQ D Merchant and D Service Provider are for those who don’t qualify for other SAQs, including service providers. SAQs P2PE and SPoC are for merchants using PCI-listed Point-to-Point Encryption or secure PIN-entry devices. Choosing the right SAQ depends on your payment processing methods and data handling practices.

Let’s quickly break down who needs to complete which SAQ, based on advice from the PCI Security Standards Council (PCI SSC).

SAQ A

SAQ A covers PCI DSS requirements for “card-not-present” merchants. That means if you outsource your card handling to PCI-compliant third parties, you’ll complete this form. You don’t store or transmit card data electronically on premises.

SAQ A-EP

If you are an e-commerce merchant that only partially handles financial data through a payment page (but doesn’t hold cardholder data on-site), complete an SAQ A-EP.

SAQ B

To file an SAQ B, you must be a merchant that uses standalone dial-out terminals and/or imprint machines to handle payments. However, you must not store any cardholder data on-site.

SAQ B-IP

You’ll need to file a SAQ B-IP if you’re a merchant using a PIN Transaction Security (PTS), Point of Interaction device that connects to payment processors. You can’t store cardholder data on file.

SAQ C

SAQ C applications cover merchants that have no account data stored electronically, but which use payment application systems that are connected via the internet.

SAQ C-VT

Similarly to SAQ C, SAQ C-VT merchants are those that use third-party virtual payment terminals on standalone, isolated devices. They can be connected to the internet, and you don’t store any card data.

SAQ D Merchant

This version of SAQ D is used by merchants that fall under types two, three, or four, but aren’t eligible for any other SAQ. According to the PCI SSC, you might require SAQ D if, for instance, you store account data via your website but are otherwise a simple e-commerce operation.

SAQ D Service Provider

Most SAQs cover merchants, however, SAQ D is available to service providers that are deemed eligible by their payment card brands. The PCI SSC notes that additional documents are required along with this SAQ.

SAQ P2PE

If you’re a merchant running payment terminals via a Point-to-Point Solution that’s PCI-verified and listed (and you don’t hold electronic card data), you’ll need to file using SAQ P2PE.

SAQ SPoC

The SAQ SPoC is reserved for merchants that use PTS Secured Card Reader-PIN devices approved and listed via PCI. If you run card-present with contactless, magnetic-stripe, and chip transactions, you’re covered by this SAQ.

What to Expect in Each SAQ

A typical SAQ includes questions regarding how you build and maintain your network, how you protect account data, what control measures you have in place, and how you establish your information security policies.

Questions within your SAQ will have multiple-response answers and are based around the 12 core requirements of PCI DSS.

Ultimately, your SAQ answers and proof of testing will satisfy PCI DSS compliance requirements if you can prove that:

• You have steps to protect account or cardholder data, if you have a business need to hold it
• You have robust cybersecurity coverage for your infrastructure, network, and systems in place
• Your access controls are strong and follow industry best practices
• You have a vulnerability management program
• You have information security policies that undergo regular reviews, and you ensure personnel are aware of data protection and security across your organization

In some SAQs, you may also need to illustrate what compensating controls (i.e., failsafe systems) you have in place if your cybersecurity plan has any constraints or risks.

If you skip some sections, you’ll also need to explain why some questions in your SAQ are “Not Applicable” and why you have “Not Tested” requirements.

Not all SAQs cover all 12 requirements, simply because some will not be relevant to the merchants or providers completing the forms.

The PCI SSC further notes that:

“The SAQs have been updated to reflect the PCI DSS v4 requirements updates, so that the requirement wording in the SAQs now mirrors that which is used in the standard, and the SAQ reporting responses are aligned with the PCI DSS v4 Report on Compliance template.”

Steps to Completing an SAQ

To complete your SAQ, you need to determine your compliance level and SAQ type, download your applicable SAQ and AOC directly from PCI SSC, and follow the steps to assess and prove your compliance. You must then submit your SAQ and AOC to the entities requesting it, for example your acquiring bank and applicable payment card brands.

Remember, completing and verifying an SAQ is just a small part of the broader steps to the PCI DSS compliance process, but it’s one of the most important.

Here are the steps broken down simply:

1. Determine whether you are a service provider or a merchant, and which of the four levels set by your acquirer and payment card brands apply to you.
2. Once you have determined your level, check your compliance expectations with your payment brand.
3. Use the PCI SSC’s document library to determine which SAQ fits your business’s profile, and download the official SAQ and appropriate AOC recording templates.
4. Where possible, use a PCI DSS compliance management tool, such as SecureTrust, to simplify these steps. SecureTrust helps you to download, check, and complete SAQs comprehensively with minimal time and effort spent.
5. If you don’t use a tool, be sure to scan, test, and record compliance data manually and fill out your SAQ.
6. Filling out your AOC will require either your company or a qualified assessor to check and test your measures and to legally attest that you are compliant.
7. With all data collected and detailed, you can then submit your SAQ via your payment brand or requester.

Conclusion

PCI DSS self-assessment eligibility is designed to make compliance checks and reporting less hassle for businesses, while ensuring payment card brands stay reassured that the companies they partner with are doing enough to protect the account and cardholder data they store, if any.

With software like SecureTrust’s PCI Manager, it’s even easier to test and verify your data compliance and to be ready for checks and requests in just a few clicks.