Self Assessment Questionnaire (SAQ)
PCI Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
SAQ consists of a set of 12 security requirements with each section targeting a specific area of security from the PCI Data Security Standard. All sections are mandatory to be completed and further completion, the required SAQ – gives others, such as their Acquiring Bank, the necessary evidence that they are in Compliance with the PCI Data Security Standard. There are 9 different versions of the SAQ and the version to comply depends on how your company handles credit card data – this is called your ‘Validation Type.
PCI SAQ Versions
| SAQ Type | Description | Description |
|---|---|---|
| SAQ 3.2 Form A | Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. | |
| SAQ 3.2 Form A-EP | E – commerce m erchants who outsource all payment processing to PCI DSS validated third parties , and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No stor ag e, process ing, or transmi ssion of cardholder data on merch ant’s systems or premises.Applicable only to e-commerce channels. | |
| SAQ 3.2 Form B | Merchants using only:
Not applicable to e-commerce channels |
|
| SAQ 3.2 Form B-IP | Merchants using only standalone, PTS – approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.Applicable only to e-commerce. | |
| SAQ 3.2 Form C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.Not applicable to e-commerce channels. | |
| SAQ 3.2 Form C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an Internet – based, virtual payment terminal s olution that is provided and hosted by a PCI DSS validated third – party service provider. N o electronic cardholder data storage.Not applicable to e-commerce channels. | |
| SAQ 3.2 Form P2PE | Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC – listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. | |
| SAQ 3.2 Form D for Merchants | All merchants not included in descriptions for the above SAQ types. | |
| SAQ 3.2 Form D for Service Providers | All service providers defined by a payment brand as eligible to complete an SAQ. |
Criteria for Passing the SAQ?
Merchants and Service Providers need to Pass all questions to be considered compliance with PCI Security Standards.
They can choose the option of “Not Applicable” for the controls that does not apply to the respective requirement.
Failing any question means the merchant or service provider is not compliant with the PCI Security Standards.
The risk identified by the questionnaire that is failed must be re mediated.