4 Questions to Determine Which PCI DSS Self-Assessment Questionnaire (SAQ) to Complete

Now that you've decided to create/configure your business to accept credit cards as a form of payment, you may be curious what impact that decision will have on your business operations. Working towards aligning your policies, procedures, standards, and controls with the requirements set forth in the Payment Card Industry Data Security Standard (PCI DSS) can be quite adventurous. You'll need to make sometimes agonizing choices about how best to protect the cardholder data that you either store, process, or transmit. You might even question the decision to accept credit card payments. Are the benefits derived from accepting credit card transactions worth the headaches?

I can't answer that question for you, but I can emphatically tell you this: If your business model includes accepting credit card payments, you have the responsibility to periodically validate that your suite of controls remains in compliance with the PCI DSS. If your respective acquirer or payment brand does not require you to submit a PCI DSS Report on Compliance (ROC), then you are eligible to evaluate your compliance utilizing a self-assessment questionnaire (SAQ). However, there are multiple versions of the PCI DSS SAQs to meet various scenarios. I have seen many of our customers struggle with the same challenge: Which SAQ should I complete? When determining which SAQ is right for your organization, technical details matter!

The following are some of the core questions you will have to ask yourself in determining which SAQ to select for your self-assessment:

1. Are you a mail order, telephone, or e-commerce merchant that does not accept physical credit card payments (often referred to as “card not present transactions”) and has fully outsourced your payment processing to a PCI DSS compliant service provider?

If yes, you should select SAQ A if you do not directly store, process, or transmit cardholder data. In this scenario, the transaction is passed directly to the payment processor by a website iFrame or is fully redirected to the payment processor.
If you accept e-commerce transactions which are outsourced but your website delivers some elements of the payment page, you should select SAQ A-EP.

2. Do you process transactions only via imprint or dial-out machines or via approved PIN transaction security (PTS) devices?

If yes, and your device has internet access (i.e., is assigned an IP), you should select SAQ B-IP.
If yes, but your device doesn’t have internet access, you should select SAQ B.

3. Do you process transactions via a payment application connected to the internet AND you are not an e-commerce merchant?

If yes, and transactions are processed via a payment application on a Point of Sale (POS) terminal or a PC with an internet connection, you should select SAQ C.
If yes, and transactions are processed via your web browser sending to a service provider’s virtual payment application, you should select SAQ C-VT.

4. If you answered no to all of the above questions, then there is the “catch all” of SAQ D. In addition, if you are a payment processing service provider or you store any cardholder data, then you should select SAQ D.

As noted at the beginning of this blog, there can be agonizing choices to make when it comes to implementing controls and validating your PCI compliance. Selecting an improper self-assessment questionnaire for your PCI DSS compliance efforts will likely lead to additional work on your part after your acquirer and/or payment brand reviews your submitted SAQ. You can't avoid choosing a SAQ. And don’t forget that all of this is subject to change if the DSS is changed in any way. This blog was created with PCI DSS v3.2.1 in place.

As a wise, old knight once said to a swashbuckling adventurer seeking the Holy Grail: “Choose wisely.”

If you are still unclear about which SAQ to complete, NuHarbor can help. Contact us today!

You can also visit our website to see our available PCI services:

https://nuharborsecurity.com/pci-compliance

Included Topics

Jeffrey Bamberger

Jeffrey Bamberger is the Principal Advisor for Information Assurance at NuHarbor Security. Jeff brings over 30 years in cybersecurity and information technology experience, focusing on consulting, risk management, compliance, and audit. Jeff's broad consulting experiences include cyber risk/threat management and assessment, information security control assessments, payment card industry (PCI) compliance, social engineering and physical security, privacy, vendor management, and Sarbanes-Oxley compliance. A graduate of the F.W. Olin Graduate School of Business at Babson College, he holds a Master of Business Administration degree. Jeff also has a Bachelor of Arts in Computer Science and Religion from Colgate University. He is a current member of the New England Chapter of the Information Systems Audit and Control Association and holds both a CISA and CISM certification.