How to Choose the Right PCI SAQ & Reduce Requirements

PCi SAQ types

If you are a small or medium-sized business, you are most likely applicable to a PCI Self-Assessment Questionnaire (PCI SAQ). SAQs are a slimmed-down version of the PCI Report on Compliance (ROC). Depending on your PCI Level, which is determined by the number of transactions you process on an annual basis, a SAQ may be suitable for you. As the name suggests, SAQs allow you to fill out your own report. 

We are going to look into what SAQs are, and how they are used to achieve PCI DSS compliance, and show you how to choose, and complete the SAQ that is applicable to your organization. By the end of this article, you will be prepared to begin your SAQ journey.

What is a PCI DSS Self Assessment Questionnaire?

SAQs are a validation tool that are used to assist SAQ-eligible merchants and service providers in reporting and achieving their PCI DSS compliance. SAQs help you achieve the following:

  • Align with the PCI DSS Requirements
  • Obtain a Report on Compliance (AOC)
  • Read information on how to conduct and complete your assessment
  • Properly document and attest to your PCI compliance. 
  • In PCI 4.0 SAQs document your Targeted Risk Analyses

SAQs simply require merchants to check a box with their responses of either

  • In Place
  • In Place with CCW (Compensating Control Worksheet)
  • In Place with Remediation
  • Not Applicable
  • Not in Place [With the exception of SAQ D Service Provider]

ROCs require defined linking of evidence and descriptions as to why the requirement is in place, however with SAQs you don’t need to specifically call out the evidence. Even so, it is still very important that you capture and store this evidence for reference. For the SAQ D Service Provider, you must provide descriptions for each requirement and validate their respective responses. 

At the beginning of the SAQs you will find several information sections which is where you provide information about your business or organization and how it is storing, processing, or transmitting cardholder data.

At the end of the assessment, you can find your CCW template in Appendix B, Explanation of Requirements Noted as In Place with Remediation in Appendix C, Explanation of Requirements Noted as Not Applicable in Appendix D, and finished with your final report validation. The purpose of these Appendices depends on how you answer the requirements. For example, any requirements that are in place with remediation, you must note them all in Appendix C.

While SAQs are self-assessments, it’s still best to have a person with technical proficiency perform the assessment to ensure that you aren’t just “Checking the Box.” Going further, it might also be beneficial to engage with a PCI QSA, ISA, or PCIP to ensure that you are properly filling out the SAQ. They have the appropriate knowledge and training to help you quickly and accurately assess your environment. If your environment is fairly simple and doesn’t change often, at a minimum, you could engage a PCI Professional to conduct your first assessment to lay out the guidance and precedent for future assessments.

See A 20-Year PCI Pro’s Best Strategies for Rapid Compliance in 2022

Want to reduce PCI requirements and maintain compliance more efficiently? Download our free 5 Step plan to reduce scope for PCI in 2022 and get compliant fast.

Who Can Use an SAQ to Attain Compliance?

If you are a designated PCI Level 1 Merchant or Service Provider, you cannot use PCI SAQs to complete your PCI assessments unless you receive permission from your payment acquirer. If you are a Level 2 through Level 4 Merchant or Service Provider you may use a PCI SAQ. It’s important to note that this is a general description.

It’s always best to ask your payment acquirer as they are the ones who will ultimately dictate the type of report you should be using to demonstrate PCI compliance.

The purpose for having various levels for PCI DSS compliance has to do with risk. Levels 2 through 4 are lower volume merchants whereas Level 1 merchants are processing 6M+ transactions per year and thus have more risk to the payments industry if breached.

For that reason, the ROC is much more in-depth, requiring merchants to prove they are compliant instead of just attesting that they are. These merchants also need to be assessed by an independent third-party QSA which also is held to a higher standard. QSA reports can also be audited by the PCI Security Standards Council to ensure that the QSAs are performing assessments appropriately. 

If you are eligible for a PCI SAQ, this doesn’t mean that you should take your compliance any less seriously. As you are taking payments, you are still at risk of having cardholder data breached.

The PCI requirements are designed to assist you in properly securing your data environments. They are there to help you! That being said, when you submit your compliance reports you are telling the acquirer, card network (Visa, MasterCard, Discover, etc.), and your customers that you are securing your environment the way you are supposed to. The second you get breached, these reports will come to light and be held under scrutiny. That’s why it’s crucial that you don’t just “check the box.”

How Long Does a PCI SAQ Take?

In our review of the nine available SAQ versions, you will find that the process can take anywhere from a few weeks to a few months.

SAQ A reports have less requirements compared to SAQ D which has all applicable PCI requirements. This means that SAQ A assessments will take significantly less time than SAQ D assessments. 

To gain deeper insight into how long it takes to get PCI DSS certified, you can read our other article How Long Does it Take to Get PCI Certified

In a simplified process, you need to perform the following steps:

  1. Scoping
  2. Interviews 
  3. Evidence and Document Gathering
  4. Reporting (Filling out the SAQ)

While SAQs are on a smaller scale compared to a ROC, you still must gather the appropriate evidence to support your responses on the report. Depending on the complexity of your environment, these steps and the overall assessment process timeline can vary.

How Often Must You Complete an SAQ?

Like PCI reporting, you must complete the PCI SAQ and AOC documents annually. If you don’t, you are out of compliance for PCI. 

It’s important to note that PCI DSS is not designed to be just a point-in-time assessment either. In version 4.0 this is more evident as the requirement wording has shifted to include defined frequencies as to when certain items must be performed. They can either be monthly, quarterly, bi-annually, or annually. 

Filling out the SAQ is the annual documentation of ongoing processes that you are completing within your organization. If your mindset is to just check some boxes and complete a report each year, you aren’t truly PCI compliant and your reporting and compliance are not solid.

The 9 Different SAQs Explained

There are nine SAQs that vary based on your cardholder data environment (CDE). The more card processing you have, the more requirements you will need to complete. The SAQs are specifically designed to outline the requirements that are only applicable to certain environments. 

In this section, we are going to look at each SAQ in-depth and provide the information you need to determine which SAQ is right for you and your organization.

For each SAQ, be sure to read the “Merchant Eligibility Criteria” section to ensure that you meet all of the points to perform that SAQ type. 

SAQ A

Snapshot:

  • Who is Applicable: “Merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data.” Wording directly from the SAQ A Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with face-to-face channels
  • Number of Requirements: 31

You can only use an SAQ A if you ONLY accept card-not-present transactions.

All processing of the card data must be outsourced to a PCI DSS compliant third-party service provider or payment processor. The key difference between SAQ A and A-EP is that all processing and account data functions must be completely outsourced to a third-party. You also cannot store, process, or transmit account data within your system or premises. You are able to keep paper reports or receipts with account data. 

Think about your website accepting payments for an online store and you are fully using Stripe or Square to process the payments on your behalf. The handoff must occur completely to Stripe without custom code on the website to complete or process the transaction. This situation would most likely fit into an SAQ A.

SAQ A-EP

Snapshot:

  • Who is Applicable: “E-commerce merchants with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data.” – Wording directly from the SAQ A-EP Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants whose payment channels are not e-commerce only
  • Number of Requirements: 159

You can use an SAQ A-EP if your e-commerce website does not receive account data directly but can impact the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. All other processing, other than the payment page, must be outsourced. 

For example, say that your website uses Wordpress and WooCommerce with a Stripe or Square plugin. WooCommerce is handling the cart and checkout process on your website. Your website is calculating the cost and sending the payment to Stripe or Square for processing. There are a few more requirements around the site and script security to ensure that an attacker cannot modify your code to charge cards for incorrect amounts. In other words, they would have the ability to affect the security of the payment transaction or the integrity of the payment transaction.

SAQ B

Snapshot:

  • Who is Applicable: “Merchants that process account data only via imprint machines or standalone, dial-out terminals.” – Wording directly from the SAQ B Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with e-commerce channels
  • Number of Requirements: 27

SAQ B is not a very typical SAQ type. This SAQ type is only for merchants that process account data via imprint machines or standalone, dial-out terminals. The dial-out terminals can only be connected via a phone line over a dial-up connection, not over an internet connection. Imprint machines are not typically used anymore. You also cannot store card data as this SAQ is only for processing over telephone lines. Most likely, you are not going to use this SAQ type in your assessment.

SAQ B-IP

Snapshot:

  • Who is Applicable: “Merchants that process account data only via standalone, PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor.” – Wording directly from the SAQ B-IP Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with e-commerce channels
  • Number of Requirements: 48

This SAQ type is for a very specific case that most don’t utilize. You cannot use this SAQ type for an e-commerce site. You are able to store the account data in an electronic format from the terminal machines along with paper storage for receipts. 

This would be ideal if you have payment terminals that are not connected to any other systems, or the internet, and dial out through a phone line directly to the payment processor. Imprint machines are typically not electronic and take an ink/paper imprint of the card number for processing. These aren’t typical processing processes that are commonly used.

SAQ C

Snapshot:

  • Who is Applicable: “Merchants with payment application systems (for example, point-of-sale systems) connected to the Internet, and that do not store electronic account data.” Wording directly from the SAQ C Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with e-commerce channels
  • Number of Requirements: 132

SAQ Cs are applicable if you only have POS systems that are connected to the internet that don’t store cardholder data. The payment application system must be segmented or isolated on the network level from all other devices, systems, or networks. The POS systems must also not connect to other locations for further processing. 

This would be for a small business that has a POS system that takes payments which is segmented on its own network and goes right to the payment processor. This would not apply to something like Walmart where their individual store POS machines are most likely sent to a central data center before being sent for processing.

You cannot have any other type of processing in your environment except POS systems that fit that criteria. If you do, then you are applicable to another SAQ type. For example, if you also have an e-commerce website. 

SAQ C-VT

Snapshot:

  • Who is Applicable: “Merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet.” Wording directly from the SAQ C-VT Guidance.
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with e-commerce channels
  • Number of Requirements: 54

SAQ C-VTs are applicable for virtual third-party payment terminal solutions on isolated networks. It can only be accessed through an internet-connected web browser, the third party must be PCI compliant, account data cannot be stored, and additional hardware devices cannot be attached to capture cards, among other things. 

Think of a single computer that can be used to manually key in a card to a website like Stripe, Square, or your payment processor. The process can only be a single transaction at a time via a keyboard. A lot of organizations aren’t only applicable to SAQ C-VT as this option is typically a backup. If you have other processing like POS or e-commerce, you will be applicable to another SAQ. This defined method can be the only method in use to utilize SAQ C-VT.

SAQ D Merchant

Snapshot:

  • Who is Applicable: “Merchants that are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type.” Wording directly from the SAQ D Merchant Guidance. Some examples of merchant environments that could be applicable include but are not limited to:
    • E-commerce merchants that accept cardholder data on their website
    • Merchants with electronic storage of cardholder data
    • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
    • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment. 
  • Who is Specifically Not Applicable: 
    • Service Providers
  • Number of Requirements: 251

The SAQ D Merchant is the bread and butter of PCI compliance and is the one most organizations are eligible for. If you have even a combination of e-commerce and POS devices, are storing card data and/or if you have card data on other platforms like call centers, this is your standard. This also applies if you don’t fit the specific criteria of the other SAQs and you aren’t a service provider.

SAQ D Service Provider

Snapshot:

  • Who is Applicable: “Service providers defined by a payment brand as being eligible to complete a self-assessment questionnaire.” Wording directly from the SAQ D Service Provider Guidance. This is the only option for service providers who are eligible to complete a SAQ.
  • Who is Specifically Not Applicable: 
    • N/A
  • Number of Requirements: 268

The SAQ D Service Provider is only for service providers that are eligible for an SAQ instead of a ROC. A PCI Service Provider is a business entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. If you are only taking payments for your own business, then you are not a service provider. 

SAQ P2PE (Point-to-Point Encryption)

Snapshot:

  • Who is Applicable: “Merchants that process account data only via a validated PCI-listed P2PE solution. SAQ P2PE merchants do not have access to clear-text account data on any computer system, and only enter account data via payment terminals from a validated PCI-listed P2PE solution.” Wording directly from the SAQ P2PE Guidance. SAQ P2PE merchants could be any of the following:
    • Brick-and-mortar (card-present)
    • Mail/telephone-order (card-not-present)
  • Who is Specifically Not Applicable: 
    • Service Providers
    • Merchants with e-commerce channels
  • Number of Requirements: 21

If you utilize a PCI-certified P2PE solution, there is now a separate SAQ just for these merchants. You cannot have access to clear-text account data or have the ability to decrypt the data. In other words, you do not hold the encryption/decryption keys. This also only applies to payment terminals. 

Attestation on Compliance (AOCs)

For each SAQ you will also need to fill out the corresponding AOC. This is the document you can quickly and easily send to another who wants you to demonstrate your PCI compliance, such as your payment acquirer. This is a summary of your SAQ to provide the necessary background information on your payment processes, what requirements you are (and are not) compliant with, and your assessment acknowledgments and signatures.

What Happens After You Submit Your PCI SAQ?

In a passing scenario, your payment acquirer most likely will not require anything else from you. You are good for another year! Depending on how much your payment acquirer pays attention to your reports you may go under the radar, but don’t count on that happening forever.

If you have failing requirements, your payment acquirer will most likely put your organization on an action plan. They will provide a timeline where you must fix what you were failing, get reassessed on those requirements, and circle back with a passing report. If you do not fix these items then you are subject to payment fines or the risk of losing your payment processing access (you will no longer be able to accept credit card payments).

The best course of action is to communicate and work with your payment acquirer. If you are unable to fix the failures within the timeframe, work with them on an extension. Most of the time, if you are actively working to fix the failures and it’s just taking a little longer, your payment acquirer should be happy. Just work with them and keep them updated on your process.

See A 20-Year PCI Pro’s Best Strategies for Rapid Compliance in 2022

Want to reduce PCI requirements and maintain compliance more efficiently? Download our free 5 Step plan to reduce scope for PCI in 2022 and get compliant fast.

Compliance Strategy: Swapping to an Easier SAQ

If you are currently assessing with a SAQ D Merchant and you want to move to a smaller SAQ, you might be able to do so. Reading through the SAQ details, you must fit into that criteria. Internal discussions must occur to identify what could be changed or eliminated to reduce the PCI environment. As a rule of thumb: if you don’t need to store it… don’t. You cannot store PCI data on any other SAQ besides the SAQ D. The next option could be outsourcing, P2PE, and others that will help you to fit into the SAQ requirements. 

It’s important to note the difference between the payment processes, in regards to SAQs, and descoping or segmentation. Segmentation allows you to descope your IT environment to assess fewer devices. As long as the networks are segmented, enforced via firewalls or other types of Network Security Controls (NSCs), and the only devices on the scoped network are PCI related, you can assess fewer devices. This will NOT allow you to switch to a different SAQ on its own. Your payment processing overall needs to change. For example, by moving to P2PE focused POS solution alone, you are reducing your scope but now can also change to the SAQ P2PE which has only 21 requirements.

Depending on what’s easier for your organization you can also combine environments or split them out. For example, if you have an e-commerce environment applicable to SAQ A but also an environment applicable to SAQ D, you could assess the e-commerce site with the SAQ D to have one report but also against more requirements. Alternatively, you could perform an SAQ A only on the e-commerce site and SAQ D for everything else. This is where you can get a little creative while still maintaining your compliance. Ultimately it depends on your environment and payment processes.

Tips For Completing Your SAQ

Getting help with a PCI SAQ

There are a few tips you can use to make your SAQ process a little easier. Not only will they help get you to compliance but they will help your organization be security-focused first to better protect the PCI data you have. 

  1. Consult a PCI Professional for Guidance

When in doubt, consult a PCI Professional (QSA, ISA, PCIP). If you aren’t sure what SAQ you are able to complete, ask a PCI Professional to help you select the most appropriate report. They can also help you identify what you need to do in order to move to another SAQ report in the future. Additionally, if you don’t want to fill out the reports yourself, a PCI Professional can help you do this as well. 

  1. Setup PCI as a Continuous Process

If you have the proper governance and processes in place that align with PCI, the evidence and assessment process goes much easier. Compliance starts with proper governance. If you have these processes in place from the start you will make smaller corrections to be PCI compliant compared to working from the bottom up. The continuous process ensures that you are monitoring and keeping compliance on an ongoing basis. You are fixing smaller things more frequently instead of many revisions once a year.

  1. Document and Gather the Necessary PCI Items

Based on your PCI scope, only gather the documents and evidence that pertain to the items in your scope. If it’s not in scope we don’t need that for the report. This will reduce the number of systems you need to assess (as long as your entire environment isn’t in scope). Additionally, once you are performing your second PCI assessment, use what you gathered last year as a reference point and update as your scoping and environment change. This helps give you a great starting point for the current year. In other words, don’t reinvent the wheel. 

  1. Be Honest

The last thing you want to do is lie on your PCI SAQ. If you aren’t compliant with a requirement, say that you aren’t and fix it. “Check the Box” assessments will only hurt you in the long run. Your SAQs will come under scrutiny following a breach. So if you lie, it will come out.

  1. Focus On Segmentation & Descoping

If you have the ability to segment and descope your environment to include less devices, systems, networks, etc. then it should be a focus. There is no reason to leave your PCI environment larger, and more exposed if you don’t need to. This will not only protect the PCI environment more but also reduce the amount of work come assessment time.

Can a PCI QSA Help With Your SAQ?

While SAQs are meant to be a self-contained task, there are several advantages to enlisting the assistance of a PCI Professional.

The first reason is knowledge. A PCI Professional has the knowledge to make sure that you are doing things the right way. A lack of knowledge will not be a good excuse if a breach happens. It’s the equivalent of not knowing the law and committing a crime that you didn’t know was a crime.

PCI Professionals can also be used to check your work. Their engagement will most likely be lower, and cheaper. You perform the initial work but they are a second set of eyes to make sure you didn’t miss anything or perform anything incorrectly. 

The second reason is resources. If you are a small business, you might not have the ability to perform PCI assessments with internal resources who are focused on running the business. Outsourcing the assessment to a PCI QSA can allow your team to be less involved. They will still need to gather the QSA-requested evidence but the planning, communications, and reporting will all be handled by them.

No matter which method or SAQ you choose, you are one step closer to achieving your PCI compliance. Selecting something one year doesn’t mean you cannot pivot later on. The most important thing is to start sifting through the information and making more informed decisions later. Ultimately, this article is your step-by-step guide to making that process simpler.


Published by Noah Stahl PCI ISA
Noah Stahl is a PCI Internal Security Assessor and experienced consultant, having conducted PCI assessments for small businesses to Fortune 500 companies....
    
Copyright © 2022 Network Assured