If your business, organisation or contact centre processes fewer than 6 million transactions annually, you may be able to ensure PCI DSS (Payment Card Industry Data Security Standards) compliance via a Self-Assessment Questionnaire (SAQ).

The type of assessment you must undergo will vary according to your merchant level, but if you are at a level which allows for SAQ submission instead of a full, formal audit each year, you will need to deliver your SAQ and Attestation of Compliance (AoC) via a responsible party at your business – typically your chief financial officer (CFO).

This may all sound like a lot of acronyms (and, yes, it is!) but in essence, these self-assessments are all about ensuring your organisation and clients are as protected as possible from the risk of data breaches and fraud. Failing to get your SAQ right can seriously endanger your business and place customer details at risk, which is why it’s so important to take SAQs seriously, and complete them correctly.

Choosing the Right SAQ for Your Business

The very first step towards correct completion is to choose the right SAQ in the first place. Because organisations come in all shapes and sizes, one size doesn’t fit all. This is why a range of SAQs has been developed to suit a variety of business types.

This simple guide will help you identify which SAQ is right for you, setting you on the right track…

SAQ A

  • Who is it for?
    Card-not-present (CNP) merchants that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • Actions required
    • Paper copies of cardholder data must be destroyed or protected.
    • Details of 3rd party service providers must be kept.
    • Compliance of 3rd party services must be monitored.
    • Completion of SAQ A (22 questions)

 

SAQ A-EP

  • Who is it for?
    E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • Actions required
    • Any e-commerce merchant formerly using SAQ A should read guidelines to identify whether they should now complete the new SAQ A-EP form instead.
    • Completion of SAQ A-EP (193 questions)

SAQ B

  • Who is it for?
    Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage.
  • Actions required
    • Ensure terminals (which can now connect via BlueTooth, Ethernet and GSM/LTE) are isolated from networks and therefore not putting cardholder data at risk.
    • Completion of SAQ B (41 questions)

SAQ B-IP

  • Who is it for?
    Merchants without electronic cardholder data storage who process payments via standalone PTS-approved point-of-interaction (POI) devices which have IP connections to payment processors. This type of transaction can take place in person or via the phone or post.
  • Actions required
    • Ensure POI devices are isolated from other networks.
    • Paper merchant receipts must be the only type of cardholder data retained.
    • Completion of SAQ B-IP form (84 questions)

SAQ C

  • Who is it for?
    Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
  • Actions required
    • Ensure the technology used to enter cardholder details is isolated from other networks and is strongly protected.
    • Completion of SAQ C (162 Questions)

SAQ C-VT

  • Who is it for?
    Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
  • Actions required
    • Ensure the technology used to enter cardholder details is isolated from other networks and is strongly protected.
    • Completion of SAQ C (162 Questions)

SAQ P2PE-HW

  • Who is it for?
    Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
  • Actions required
    • All data must be entered via a validated P2PE hardware device. No vulnerability scan or penetration testing required.
    • Completion of SAQ P2PE-HW (33 questions)

SAQ D (For merchants)

  • Who is it for?
    All merchants not included in descriptions for the above SAQ types.
  • Actions required
    • Vulnerability scans and Penetration testing required.
    • Completion of SAQ D which includes all 329 PCI DSS requirements, marking non-applicable sections with caution

SAQ D (For service providers)

  • Who is it for?
    all service providers defined by a payment brand as being SAQ- eligible, processing more than 300,000 transactions per year
  • Actions required
    • Vulnerability scans and Penetration testing required.
    • Completion of SAQ D which includes all 329 PCI DSS requirements, marking non-applicable sections with caution. Additional ‘Service Provider Only’ requirements are identified within the PCI DSS

Do you know which SAQ you need to complete? We specialise in PCI solutions for contact centres, helping to make compliance simpler through a range of hassle-free third party services. For more information, advice and assistance, please contact our expert consultants today.

This guide is the fourth chapter of our eBook ‘Starting Your PCI Compliance Journey‘.