We totally understand… its daunting to figure out which PCI DSS Self-Assessment Questionnaire (SAQ) you need to complete for your business. After all, there are nine of them!
The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments:
1. SAQ A – Perhaps the simplest one…required if you have full outsourced all your cardholder data functions. So there is NO electronic storage, processing, or transmission of any cardholder data in your systems or premises.
2. SAQ A-EP – Applicable if you do not store, process or transmit cardholder data on your premises or on your systems – you use e-commerce only and have outsource the handling of all card data to a third party. However, although your website doesn’t handle card data, it could still impact the security of a transaction.
3. SAQ B – This one is not for e-commerce environments. It is applicable to merchants who do not store, process or transmit cardholder data BUT they use standalone, dial-out terminals or imprint machines.
4. SAQ B-IP – Also not for e-commerce environments. Required if you only use standalone, PTS-approved payment terminals with an IP connection to the payment processor and have no electronic cardholder data storage.
5. SAQ C-VT – Also not for e-commerce environments. Required if you use a virtual terminal on a computer that is solely for card processing. Again no electronic cardholder data is stored.
6. SAQ C – Required if you have a payment application connected to the Internet; even if you do not store any cardholder data.
7. SAQ P2PE – Required if you are using point-to-point encryption (P2PE) devices; even if you even if you do not store any cardholder data.
8. SAQ D for Merchants – Required if you are handling your own credit card processing or use a P2PE solution. Therefore, you may be storing credit card data electronically.
9. SAQ D for Service Providers – If you are a service eligible to complete an SAQ you need this one!
Completing your SAQ will not only improve your security but it will demonstrate that you consider and care about payment security to your clients, processors and other stakeholders.
FYI, ControlCase assists companies to achieve PCI compliance using SAQ.
Click Here to discuss your specific environment.