Every merchant that accepts credit card payments is required to complete a PCI Self-Assessment Questionnaire, or SAQ. There are several different types of SAQs – some of which are more difficult and time-consuming than others.
With 8 different questionnaires, determining where to start can be overwhelming. Thankfully, PCI considered this challenge and created two detailed guides to help merchants with compliance planning:
Understanding the SAQs for PCI DSS version 3
SAQ Instructions and Guidelines
Each SAQ is designed for a different payment environment. The type you’ll need to complete will depend on how you collect, store, and transmit credit card data. The general guidelines are as follows:
A – Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
A-EP – E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.
B – Merchants using only imprint machines with no electronic cardholder data storage, and/or standalone, dial-out terminals with no electronic cardholder data storage. (Not applicable to e-commerce channels)
B-IP – Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. (Not applicable to e-commerce channels)
C-VT – Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. (Not applicable to e-commerce channels)
C – Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. (Not applicable to e-commerce channels)
P2PE – Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. (Not applicable to e-commerce channels)
D – All merchants not included in descriptions for the above SAQ types.
How Your Payment Processing Environment Determines Your PCI Reporting Requirements
The whole idea behind PCI compliance is to limit the presence of card data from unnecessary (and insecure) systems and processes. This concept trickles into the SAQs. The fewer places your environment touches cardholder data, the smaller your scope. The smaller your scope, the more likely you are to qualify for a reduced SAQ.
Of course, if you have any questions about which SAQ you should be completing, you can work with a Qualified Security Assessor to make sure you’re meeting your compliance requirements.
Completing Multiple SAQs
An important fact to point out is that PCI doesn’t necessarily expect a merchant to complete one single SAQ to satisfy all their compliance requirements. In fact, the SAQs are designed to be specific to each of your different payment channels – retail, e-commerce, MOTO, etc. All of the self-assessment questionnaires other than the SAQ-D contain questions that are applicable to a specific type of environment.
The concept is to start with the SAQ A and ask yourself if any of your payment interfaces meets the qualification criteria. If not, you can proceed to the A-EP, and so on down the list. By the end of your evaluation process, you should have an SAQ for each payment channel. If any payment channel does not meet the criteria of one of the reduced SAQs, the default catch-all is SAQ D, which covers everything else.
If there are PCI requirements that are applicable to your environment that are not addressed in your SAQ, that may be an indicator that you have selected the improper SAQ.
What Do I Do with My SAQ Forms?
PCI has long required merchants who accept credit cards to complete annual SAQs. However, enforcement of this PCI requirement is left to individual acquirers. Once you complete your SAQ(s), you’ll submit the completed forms (along with any other necessary documentation, such as a copy of your most recent vulnerability scan) directly to your acquirer. In some cases, payment brands may ask for this information as well.
One thing to keep in mind: some acquirers are very strict about compliance, imposing costly non-compliance fees to merchants who do not submit the required documentation on the required schedule. Other acquirers may not actively demand compliance from their merchants.
While it may be tempting to skip the process if your acquirer does not directly ask you for your documentation, Curbstone recommends that you complete a self-assessment questionnaire each year, even if your acquirer doesn’t ask you to submit the resulting forms. In this case, you can create a local PCI repository where you can archive your completed SAQs. If and when your acquirer decides to more strictly enforce PCI compliance requirements – or if you change acquirers – you’ll be three steps ahead of the game.
Qualify for a Shorter, Easier SAQ
The SAQs are listed in alphabetical order, but the order also reflects their complexity.
The SAQ D is the largest and most complex; all others are considered a reduced version. In other words, all merchants should complete a SAQ D by default, unless they do something to qualify for the reduced SAQs.
Ultimately – the SAQ D is huge and could take weeks, if not months, to complete. This is especially true for merchants who have smaller IT departments, without a designated security or compliance leader. Even completing multiple reduced SAQs is a simpler, less impactful task than completing one SAQ D!
This is where a payment security partner, like Curbstone, can help you reduce the burdens of compliance. Our credit and debit card processing software was designed to allow merchants to qualify for the smallest SAQ possible.
Regardless of your use case – whether you’re using Curbstone for e-commerce payments, mail order/phone order payments, in-person EMV payments, or any combination of the above – Curbstone can help you spend less time on your compliance reporting. Our technologies keep sensitive payment data off your system, reducing your PCI scope. Meanwhile, we take on the more complex audits on our end, going above and beyond to keep your customers’ data secure from threats.
Ready to spend less time on your next PCI SAQ? Contact Curbstone to learn more about your options: