Merchants are required to complete a PCI SAQ (self-assessment questionnaire) every year. However, in some cases, it may be easier to complete multiple shorter SAQs instead of one all-encompassing one.
What is the Difference Between the SAQs?
There are eight different SAQs – each one with its own set of requirements. (Take a deeper dive into each of the questionnaires here.)
Depending on how a merchant takes credit card payments, it may be possible – even preferrable – to complete two or three of the shorter options. For example: the SAQ-D is 329 questions; completing a 31-question SAQ A and a 79-question SAQ C-VT is still a lower effort in comparison.
Qualifying for Multiple Reduced SAQs
Typically, each payment environment should correspond to its own SAQ. (For instance, e-commerce, retail, and MOTO environments should each be addressed in their own questionnaire.)
Here’s how Jonathan Paolozzi, Curbstone’s IT Operations Manager, explains it:
“One situation where a merchant may fall under two SAQs is when they use multiple payment channels. For instance – if they’re using payment landing pages for an e-commerce solution, as well as EMV terminals for their retail counters, those could fall under two different SAQs. They could do one SAQ-D across the board, or they could apply separate SAQs to each of those environments.”
Separate locations and/or business units can also necessitate multiple SAQs. As Paolozzi continues to explain:
“Another example would be a case where a merchant has completely separate environments at separate location. It’s one thing if they have, for instance, a VPN that goes back to their headquarters, but if they have completely separate processing setups at each retail branch, that would require multiple SAQs.”
With these explanations in mind, it’s still critical to consult with a PCI-certified QSA to confirm the best approach for your specific environment. Different technical configurations, such as the way a network is segmented (e.g., if it has shared infrastructure, such as firewalls), can influence your eligibility for a reduced SAQ; a QSA is the only individual who can authoritatively decide how your setup impacts your requirements.
Can You Re-Use Documentation Across SAQs?
Each SAQ will require you to document certain security measures, but you may be able to re-use documentation across SAQs to simplify the process. Your Information Security Policy and Incident Response Plan, for instance, may be shared if they apply to your entire cardholder data environment.
However, each SAQ may also require channel-specific evidence (e.g., a vulnerability scan for e-commerce or terminal logs for retail). Be sure your documentation meets each environment’s specific requirements.
Submitting Multiple SAQs: How Does That Work?
If you’re using more than one SAQ, each should be completed independently, then submitted together to your acquiring bank or processor. In most cases, your acquirer will be accustomed to this approach, especially for larger or multi-channel merchants.
It’s essential that:
- There are no overlaps or gaps between the environments covered.
- The descriptions of scope in each SAQ clearly define which part of your business it applies to.
Reduce Your PCI Scope with Curbstone
Compliance can be complicated – but a scope reduction partner like Curbstone can help. Our payment solutions are intentionally designed to help you reduce your PCI reporting obligations. For instance:
- Remote tokenization allows you to process transactions without entering, storing, or transmitting cardholder data on your own system.
- EMV terminals are isolated from your broader network, helping reduce exposure to the rest of your system.
- Our e-commerce configuration relies on iFrames to shift the burden of compliance onto the service provider (aka, us!)
These technologies have helped customers successfully reduce the burden of compliance by meeting the criteria for shorter SAQs. See how one customer took their entire web server out of scope for the PCI SAQ-D.
Interested in learning how to make your compliance efforts as simple and straightforward as possible? Contact us to start the conversation.
