Choosing the Best SAQ for Your Organisation
The Payment Card Industry Security Standards Council (PCI SSC) has long recognised that not all organisations have the requirement or resources to engage external assessors to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). As such, the PCI SSC has developed and made available a number of self-assessment questionnaires (SAQs) to assist both merchants and service providers.
These SAQs are very much targeted at smaller merchants and service providers which have a lower volume of payment card transactions and are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC). The SAQs do, however, enable these organisations to validate compliance without having to incur the cost of a full external assessment.
There are 9 different SAQs available, each of which is applicable to a specific payment scenario (or channel) and have been developed to address the most common types of payment processing conducted by organisations. There is also a ‘cover-all’ SAQ to address any other scenario. The SAQs vary considerably in terms of requirements with some being far more onerous to complete. URM has produced the following table to summarise the key differences and can advise on which SAQ, different organisations should be completing.
|SAQ Type||Eligibility Payment Channel||Number of requirements|
|A||Applies only to card-not-present channels (e-commerce or mail-order/telephone order [MOTO]), where all cardholder functions are outsourced, and the merchant has no direct control over storing, processing, or transmitting cardholder data (CHD).
URM has found a significant number of organisations, incorrectly, believe that outsourcing all payment functions absolves them of PCI DSS compliance but that is not the case. SAQ A is designed to cover those scenarios where the merchants website redirects the customer to the payment processors website (e.g. PayPal type scenarios)
SAQ A never applies to face-to-face payment channels
|A-EP||One of the newer SAQs, A-EP only applies to partially outsourced e-commerce channels, i.e. merchants which use a third-party website for payment processing but whose website only controls how CHD is redirected to the payment processor. Crucially with SAQ A-EP, the merchant has no electronic storage, processing, or transmission of CHD.
This SAQ is designed to apply to the more modern type of payment channel used in websites where the merchants’ site controls how the customer’s CHD is sent to the payment processor (often referred to as a form post mechanism)
SAQ A-EP never applies to MOTO or face-to-face channel transactions
|B||SAQ B is intended for channels that use either imprint machines* or standalone terminals only and there is no transmission of CHD over data networks and no electronic storage of CHD. Standalone terminals are more commonly known as Pin-Entry Devices (PEDs) or Process Data Quickly devices (PDQs) and may connect to the processor either via an old phone connection or, more commonly, some kind of mobile data connection (GPRS, 3G, 4G, etc.).
*Imprint machines are the very old physical card copy devices that used triple-carbon paper to take an actual imprint of the customers card and are rarely seen these days.
SAQ B is not applicable to e-commerce channels
|B-IP||SAQ B is intended for payment channels using standalone IP-connected PTS-approved terminals that have an isolated connection to the payment processor and where there is no electronic storage of CHD.
These terminals are the same PED/PDQ devices as the SAQ-B, but utilise a network connection (typically over the internet) to the payment processor. The terminals could be used for either face-to-face transactions or phone payments.
SAQ-B is not applicable to e-commerce channels
|C||SAQ C is designed for payment channels that use a payment application which is installed on an end-user device (laptop/desktop) and connected to the payment processor via the Internet. Originally designed for very small retailers who did not use PEDs/PDQs, SAQ C is now more often found in small in-house call centre setups.
With SAQ C there are some very strict criteria about the end-user devices being isolated. There is a requirement that the device is isolated from the rest of the merchant’s environment and the physical location of the device is not connected to other locations (single network only). Under SAQ C there can be no electronic storage of CHD.
SAQ C is not applicable to e-commerce channels
|C-VT||SAQ C-VT has a very specific requirement and is designed for payment channels that use web-based virtual payment terminals. SAQ C-VT was created in response to payment processors offering their payment service via web portals. It is very similar to SAQ C and is typically found in larger call centres setups and has similar strict criteria in that the device accessing the virtual terminal must be isolated from the rest of your environment.
SAQ C-VT is not applicable to e-commerce channels
|P2PE-HW||P2PE-HW is the latest SAQ to be introduced and is designed for merchants using the newer payment terminals that are validated to the PCI SSCs P2PE Standard. It addresses the hardware-based encryption technology which was implemented into the newer PEDs and which is, currently, considered more secure.
To be eligible, the organisation needs to be using a validated P2PE solution to process payments and, due to the stronger encryption technology, there is no requirement to isolate the terminals like the other SAQs.
P2PE-HW is not applicable to e-commerce channels
|D (Merchants)||SAQ D (Merchants) is the ‘catch-all’ SAQ that is designed to cover any merchants which do not meet the criteria for any other SAQs, and essentially includes all the requirements of the PCI DSS. As such, it is particularly onerous to complete.||330|
|D (Service Providers)||SAQ D (Service Providers) is designed for service providers that qualify for self-assessment and is the only SAQ that service providers are allowed to complete.||355|
Choosing the appropriate SAQ is critical, as incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. The time and effort involved in completing the different SAQs can also vary considerably. URM’s QSA consultants can assist in advising which SAQ is most applicable to your organisation. They can also provide invaluable assistance in assessing whether there may be opportunity to reduce the scope of your cardholder data environment (CDE), resulting in you having to complete a less onerous SAQ.