Organisations that accept card payments are responsible for the security of customers’ payment information and must comply with the PCI DSS (Payment Card Industry Data Security Standard).
Compliance will be a lengthy process for some, but organisations that handle fewer than six million transactions annually can speed up the process by completing an SAQ (self-assessment questionnaire).
There are several types of SAQ that apply in different circumstances.
For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
It applies where:
- The merchant’s website is hosted and managed by a PCI-compliant third-party payment processor; or
- The merchant’s website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor.
Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.
For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
It applies where:
- The merchant’s website creates a payment form and “direct posts” payment data to a PCI-compliant third-party payment processor; or
- The merchant’s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website.
Free PDF download: The PCI DSS and its SAQs
You can find out more about SAQs by downloading our free green paper: The PCI DSS and its SAQs.
This guide explains in more detail what each self-assessment questionnaire contains, and offers practical guidance to help you identify which one is right for you.
For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant.
Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchant’s standalone dial-out terminal must be connected to a phone line and nothing else.
For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.
For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale.
There are separate forms for merchants and service providers.
For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.
Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW.
How to complete the SAQ
Hopefully you’ve now identified which SAQ applies to you, but how do you go about completing the form?
That’s where our PCI DSS Documentation Toolkit can help. It contains all the template documents you need to ensure complete coverage of your PCI DSS requirements.
All you need do is fill in the sections that are relevant to your organisation.
The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.
A version of this blog was originally published on 11 September 2019.