PCI SAQs (Payment Card Industry Self-Assessment Questionnaires) enable merchants to assess their adherence to PCI DSS (Payment Card Industry Data Security Standard) requirements, which are mandatory for any entity that processes, stores or transmits payment card data.
Merchants processing credit and debit card payments must comply with a series of standards to maintain the security of their transactions. This includes PCI DSS — which stands for Payment Card Industry Data Security Standard.
Businesses selling online can self-assess their PCI DSS compliance with PCI SAQs, which we’ll be covering in this article.
Let’s start by answering:
What is PCI SAQ?
PCI SAQs (Self-Assessment Questionnaires) are tools created by the Payment Card Industry Security Standards Council that help merchants check how well they meet the PCI DSS requirements, which ensure the security of payment card data.
There are various SAQs designed for different business models and payment processing methods. Merchants need to select the SAQ that best matches how they handle cardholder data. The options range from SAQ A for those using third-party processors to SAQ D for those with complex payment setups.
Why are PCI SAQs required?
PCI SAQs enable merchants to assess their adherence to PCI DSS requirements, which are mandatory for any entity that processes, stores or transmits payment card data.
Complying with these standards helps protect sensitive cardholder information from security breaches and fraud, safeguarding both merchants and consumers from potential financial losses and reputational damage.
Which PCI SAQ do I need?
The appropriate PCI SAQ depends on a number of factors, including the business model, payment processing methods, and the extent of their interaction with cardholder data.
The options range from SAQ A for merchants who entirely outsource payment processing, to SAQ D, for those with complex payment setups involving the storage of cardholder data.
Let’s see some practical examples:
- SAQ A: A small online service that uses a third-party service like CommerceGate for all payment processing. They use SAQ A because they do not directly handle or store cardholder data.
- SAQ D: A large online retailer processes payments on its website and stores customer card details for repeat transactions. This setup requires SAQ D.
- SAQ B: A vendor at a craft market uses a standalone dial-out terminal to process credit card transactions. Since the data isn’t processed over the internet, SAQ B is appropriate.
Selecting the correct SAQ ensures that merchants focus their compliance efforts on the most relevant requirements.
How Do I Determine The Right SAQ For My Business?
To choose the correct SAQ, a merchant must consider:
- Payment Processing Method: How and where transactions are processed—online, by phone, or using physical POS terminals.
- Interaction with Cardholder Data: How much they directly handle or are exposed to cardholder data during transactions.
- Use of Third-party Services: Whether payment processing is entirely outsourced to third-party service providers.
- Technological Infrastructure: Types of payment systems are in use, such as P2PE (Point-to-point encryption) physical devices or virtual terminals.
Let’s illustrate with a few examples.
Example 1: Small to medium online business
Scenario: Processes card transactions via a third-party website redirect without handling or storing cardholder data.
Appropriate SAQ: SAQ A, is ideal for merchants completely outsourcing card data handling.
Example 2: Online Gambling/Forex
Scenario: Handles all transactions through its platform, retaining customer data for enhanced user experience, cascading, and payment routing.
Appropriate SAQ: SAQ D, due to complex data handling and storage needs.
Example 3: MOTO (Mail Order, Telephone Order) merchant
Scenario: A merchant conducts sales via mail orders or telephone orders without any face-to-face customer interaction. They use virtual terminals accessed via a web-based application hosted by a third-party to enter payment card data on behalf of the customer.
Appropriate SAQ: SAQ C-VT, this setup requires that the merchant’s hardware is isolated in a secure area and that the payment application is delivered via a third-party which is managed through a web browser.
Example 4: Offline retail shop
Scenario: Uses an IP-connected POS terminal from a third-party vendor, without storing card data.
Appropriate SAQ: SAQ B-IP, suitable for businesses using internet-connected devices without storing data electronically.
Keep Your Business Compliant With CommerceGate
CommerceGate is your global payment partner and holds a PCI DSS Level 1 Certification for customer and card data.
