Choosing the Best SAQ for Your Organisation
The Payment Card Industry Security Standards Council (PCI SSC) has long recognised that not all organisations have the requirement or resources to engage external assessors to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS).
As such, the PCI SSC has developed and made available a number of self-assessment questionnaires (SAQs) to assist both merchants and service providers.
These SAQs are very much targeted at smaller merchants and service providers which have a lower volume of payment card transactions and are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC).
The SAQs do, however, enable these organisations to validate compliance without having to incur the cost of a full external assessment.
There are 9 different SAQs available, each of which is applicable to a specific payment scenario (or channel) and have been developed to address the most common types of payment processing conducted by organisations.
There is also a ‘cover-all’ SAQ to address any other scenario. The SAQs vary considerably in terms of requirements with some being far more onerous to complete.
URM has produced the following table to summarise the key differences and can advise on which SAQ, different organisations should be completing.
More about PCI DSS
SAQ Table Guide
What Comes Next?
Choosing the appropriate SAQ is critical, as incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches.
The time and effort involved in completing the different SAQs can also vary considerably.
URM’s QSA consultants can assist in advising which SAQ is most applicable to your organisation.
They can also provide invaluable assistance in assessing whether there may be opportunity to reduce the scope of your cardholder data environment (CDE), resulting in you having to complete a less onerous SAQ.
Our office is open 08:00 – 17:30 Monday to Friday.