PCI DSS SAQ Refresher
PCI DSS SAQ Refresher
Any organization coming into contact with cardholder data is required to fill out a Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire (SAQ). PCI compliance is essential for accepting payments. PCI DSS SAQs range from 24 simple questions to over 328 security points. Here are the differences…
The Eight Types of PCI DSS SAQs
There are currently eight variations of the PCI DSS SAQ. The one your business needs to use depends on what extent you handle credit card data.
- SAQ A: For card not present, e-commerce businesses that outsource cardholder data processing completely to a PCI compliant payment processor.
- SAQ A-EP: E-commerce merchants who outsource payment processing to PCI compliant payment processor but who have website APIs that may affect data security.
- SAQ B: Brick-and-mortar stores using standalone terminals, process payments outside of any point of sale software and do not store cardholder information anywhere in their physical or digital environment.
- SAQ B-IP: Merchants who use PTS-approved standalone terminals that transmit data to payment processors via an IP connection.
- SAQ C: Businesses using payment apps that are connected to the internet.
- SAQ C-VT: Merchants who enter transactions manually into a PCI DSS-compliant virtual terminal solution.
- SAQ P2PE-HW: Merchants who have implemented hardware-only payment terminals. These terminals must be managed using a PCI SSC-compliant P2PE package.
- SAQ D: Any merchants who don’t qualify for other questionnaire types. Service providers generally need to fill out this form as well.
The easiest SAQs to fill out are questionnaires A and B. SAQ D is more extensive and complicated. It often requires outside assistance for proper certification.
How To Choose the Correct PCI DSS SAQ for Your Business
To determine the right questionnaire for your company, consider a few questions:
- Do you store any cardholder data?
- Do you use a point-of-sale terminal in your store?
- Do you conduct e-commerce transactions?
- Do you outsource cardholder data to a PCI DSS compliant service provider?
The easiest way to simplify compliance is to partner with a PCI compliant payments provider.