The PCI DSS Self-Assessment Questionnaire (SAQ)
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for qualifying merchants and service providers that are neither required to undergo an on-site data security assessment nor submit a report on compliance (ROC). The purpose of the SAQ is to assist organisations in self-evaluating compliance with the PCI DSS.
All merchants and their service providers are required to comply with the PCI DSS in its entirety. In February 2014, the PCI Security Standards Council introduced the new self-assessment questionnaires and Attestation of Compliance.
All of the latest SAQs of the PCI DSS can be found here on the PCI Security Standard Council’s website. The PCI DSS SAQ Workshop can help you understand how to complete your SAQ.
Which SAQ do I need to complete?
Use the table below to identify which SAQ you need to complete, and whether a vulnerability assessment mechanism is required.
SAQ instructions and guidelines
Guidance on which SAQ your organisation is eligible to complete.
SAQ |
Description |
Penetration test required |
ASV scan required |
A |
Card-not-present (e-commerce or mail/telephone-order) merchants; all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
No |
No |
A-EP |
This SAQ is designed to cover the now common situation of e-commerce merchants that outsource their payment processing but not the administration of the website that links to it, and so need to protect this properly. |
Yes, external only |
Yes |
B |
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. |
No |
No |
B-IP |
This SAQ addresses merchants that use standalone PEDs that are connected not via a phone line but via an IP connection to the processor as is more prevalent in SMEs these days. |
No |
Yes |
C-VT |
Merchants using only web-based virtual terminals; no electronic cardholder data storage. |
No |
No |
C |
Merchants with payment application systems connected to the Internet; no electronic cardholder data storage. |
No |
Yes |
D
(Merchant)
D
(Service Provider) |
All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. |
Yes
Yes |
Yes
Yes |
P2PE-HW |
Merchants with only hardware payment terminals included in a validated, PCI SSC-listed P2PE solution; no electronic cardholder data storage. |
No |
No |
Changes introduced by the latest version of the PCI DSS
The new requirements introduced by versions 3.0, 3.1 and 3.2 are aimed at underscoring the intent of the PCI DSS that “Payment security becomes business as usual.”
It is important to realise that many merchants will be using multiple methods of taking payment that could fall under different SAQs and therefore require different vulnerability detection methods. Getting the right methods for the right payment channel can be crucial to gaining and maintaining compliance.
Completing the SAQ
It is important to choose the right SAQ, but organisations often aren’t sure which SAQ they have to complete, especially with the changes introduced by the latest version. It is best to check with your acquiring bank which SAQ is applicable before starting the process. The challenging part is often the completion of the SAQ itself.
PCI SAQ Workshop
If you are responsible for completing your organisation’s SAQ, then we highly recommend attending a PCI DSS SAQ Workshop.
This one-day workshop is designed to provide delegates with the practical knowledge required to complete the new PCI DSS self-assessment questionnaires (SAQs) and ensure full compliance to the Standard.
Learn more about the PCI DSS SAQ Workshop.
PCI DSS Qualified Security Assessor (QSA)
By consulting a Qualified Security Assessor (QSA), you will gain the benefit of their extensive PCI experience, combined with deep technical expertise, helping you reduce the scope of your cardholder data environment and enabling you to complete the SAQ in the correct manner. An SAQ counter-signed by a QSA also lends credibility to the submission.
Learn more about our QSA services.