PCI SAQ Compliance

What is PCI SAQ?

A PCI Self-Assessment Questionnaire (SAQ) is a blueprint for merchants and service providers to become PCI DSS compliant. An SAQ acts like a checklist to ensure you don’t miss on the security requirements applicable to your business. Since methods of processing payment via a payment card differ from business to business, there are different SAQs available for each variant. PCI SAQ is applicable for small merchants and service providers who do not need to go for an onsite audit and submit a report on compliance to their acquiring Banks or Payment brands, but need to comply with all the applicable requirements in PCI DSS standard. Based on the business model, one or multiple SAQ types might be applicable for your organization.

To whom does it apply?

PCI SAQ applies to Service Providers who store credit card data or process less than 300,000 payment card transactions annually.

PCI SAQ Compliance – Consulting

Self-attesting the compliance to DSS through a PCI SAQ is an annual activity for both merchants and service providers. They need not go for an onsite audit or submit RoC (Report on Compliance) to their acquiring banks or payment brands. However, it is not as easy as it sounds. Performing a self-assessment requires defining the scope for assessment activities and interpreting the mentioned requirements.

We at Crossbow Labs makes achieving compliance a smooth process for you. We customize our services to adjust to your business needs and processes. Our #1 motto is to ensure you understand the intent of PCI DSS standard and requirements as finely as we know.

We breakdown the whole self-assessment pursuit into three simple steps:

  • Understanding your business processes in relation to cardholder data to identify the scope and applicable SAQ type.
  • Doing a thorough gap assessment and providing remediation support for the gaps identified.
  • Filling SAQ and providing AoC (Attestation of Compliance).

PCI SAQ Types

Based on the type of payment processes via payment cards involved, there are 9 types of SAQ available for merchants. For service provider only SAQ-D is applicable.

Types:

  • PCI SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    Not applicable to face-to-face channels.

  • PCI SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    Applicable only to e-commerce channels.

  • PCI SAQ B: Merchants using only:

    • Imprint machines with no electronic cardholder data storage; and/or
    • Standalone, dial-out terminals with no electronic cardholder data storage.

    Not applicable to e-commerce channels.

  • PCI SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
    Not applicable to e-commerce channels.

  • PCI SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
    Not applicable to e-commerce channels.

  • PCI SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
    Not applicable to e-commerce channels.

  • PCI SAQ P2PE-HW:Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
    Not applicable to e-commerce channels.

  • PCI SAQ D:

    • For Merchants: All merchants not included in descriptions for the above types.
    • For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.
X

Pop up

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from. While using our website, we may ask you to provide us with certain personally identifiable information, that can be used to contact you about our service offerings. By browsing our website, you consent to our privacy and cookies policy.