Organisations that accept card payments are responsible for the security of customers’ payment information and must comply with the PCI DSS (Payment Card Industry Data Security Standard).
Compliance will be a lengthy process for some, but organisations that handle fewer than six million transactions annually can speed up the process by completing an SAQ (self-assessment questionnaire).
There are several types of SAQ that apply in different circumstances.
For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
It applies where:
- The merchant’s website is hosted and managed by a PCI-compliant third-party payment processor; or
- The merchant’s website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor.
Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.
For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
It applies where:
- The merchant’s website creates a payment form and “direct posts” payment data to a PCI-compliant third-party payment processor; or
- The merchant’s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website.
For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant.
Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchant’s standalone dial-out terminal must be connected to a phone line and nothing else.
For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.
For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale.
There are separate forms for merchants and service providers.
For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.
Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW.
How to complete the SAQ
Hopefully you’ve now identified which SAQ applies to you, but how do you go about completing the form? Whichever SAQ you use will be full of complex technical questions, and the PCI Security Standards Council encourages you to seek professional guidance before you begin.
You can get to grips with what’s required of you by registering for our PCI DSS webinar series.
Our upcoming presentations provide essential guidance on how to understand an implement the necessary measures, covering the basics of PCI DSS compliance, the policies and procedures you must complete and your security testing requirements.