What is a PCI Self-Assessment Questionnaire?

Learn everything you need to know about the PCI Self-Assessment Questionnaire (SAQ). Discover how completing a PCI SAQ can help merchants become PCI compliant, avoid non-compliance fees, and protect cardholder data from breaches. Understand the different types of SAQs and how to choose the right one for your business.

Merchants who accept credit cards are no strangers to fees. Network fees, assessment fees, processor fees – the list goes on and on. Among this laundry list of fees is the PCI Compliance fee, which is charged when a company has not provided proof to their processor that their payment system is compliant with the Payment Card Industry Data Security Standard (PCI DSS for short) by completing a PCI SAQ.

Many merchants pay this fee without realizing that it’s one of the simplest fees to remove from their monthly statement. All it takes is looking at your payments set-up and filling out a Self-Assessment Questionnaire (SAQ). If you submit that SAQ to your processor, you can eliminate that fee from all future statements.

Understanding PCI Compliance

PCI compliance is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive framework that outlines the necessary requirements for safeguarding credit card data. By adhering to PCI DSS, businesses can protect themselves and their customers from data breaches and fraud. Ensuring PCI compliance is not just about avoiding fines; it’s about building trust with your customers and maintaining the integrity of your payment processing systems.

Speak with a PCI expert today.

Overview of PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) is an independent body established by major payment brands like Visa, MasterCard, American Express, Discover, and JCB. The PCI SSC’s primary role is to develop, enhance, and promote the PCI DSS and other security standards. By providing comprehensive guidelines and resources, the PCI SSC helps organizations worldwide to secure cardholder data and maintain PCI DSS compliance. The council’s efforts are crucial in creating a unified approach to payment security, ensuring that businesses of all sizes can protect sensitive cardholder information effectively.

PCI Compliance Requirements

Achieving PCI compliance involves meeting a set of 12 stringent security standards designed to protect cardholder data. These requirements include:

  1. Install and maintain a firewall: A robust firewall is essential to protect your network from unauthorized access.
  2. Change vendor-supplied default passwords and security settings: Default settings are often easily exploitable, so it’s crucial to customize them.
  3. Protect stored cardholder data: Implement encryption and other security measures to safeguard stored credit card information.
  4. Encrypt cardholder data when transmitting it across open, public networks: Use strong encryption protocols to protect data in transit.
  5. Use and regularly update antivirus software: Keep your systems protected from malware and other threats.
  6. Develop security systems and processes: Establish and maintain secure systems and applications.
  7. Restrict access to cardholder data to a need-to-know basis: Limit data access to only those who need it for their job.
  8. Assign user IDs to everybody with computer access: Ensure accountability by assigning unique IDs to each user.
  9. Restrict physical access to cardholder data: Protect physical locations where cardholder data is stored.
  10. Track and monitor who accesses networks and cardholder data: Maintain logs and monitor access to detect and respond to suspicious activity.
  11. Regularly test systems and processes: Conduct regular security testing to identify and address vulnerabilities.
  12. Have a policy on information security: Develop and enforce a comprehensive information security policy.

Meeting these requirements is essential for protecting cardholder data and maintaining PCI compliance.

What is a PCI SAQ (Self-Assessment Questionnaire)?

A PCI SAQ (Self-Assessment Questionnaire) is a set of questions that merchants complete to assess their compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Swipesum streamlines PCI compliance for merchants, ensuring security and eliminating unnecessary fees with expert support every step of the way.

They are essential tools to validate compliance with PCI DSS standards. Ultimately, Self-Assessment Questionnaires function as a risk assessment tool for large credit card companies.

For a merchant, the SAQ is just a series of questions about their payments setup. Of course, these questions center around how consumer information is protected. You can expect to see questions like the following:

  • What methods are used to accept payments? (Card swipes, online order, telephone order, etc.)
  • What industry you operate in?
  • What payments equipment do you use?
  • Do any third parties have access to your payments systems (such as a point-of-sale software)?
  • How often do you update your payments software?
  • Are all payments systems password protected?

In most cases, businesses are already PCI compliant just by nature of the equipment they use, so you shouldn’t need to make many major changes to meet the requirements of the SAQ.

PCI Compliance Phone Number and Support

PCI compliance and the self-assessment can be intimidating, Swipesum is here to make it simpler. Swipesum offers PCI compliance support at no additional charge to its clients, providing expert assistance to ensure your payment system meets the required standards without stress. Our team of PCI experts is equipped to guide you through every step of the process, from completing the PCI SAQ (Self-Assessment Questionnaire) to implementing PCI DSS requirements tailored to your business needs.

PCI Contact Information

When it comes to PCI compliance, having expert support can make all the difference. Whether you’re just beginning the self-assessment process or have questions about PCI DSS requirements, Swipesum is ready to help.

  • PCI Compliance Phone: +1 (844) 554-1275
  • PCI Compliance Email: save@swipesum.com

Types of Self-Assessment Questionnaires for PCI Compliance: Which Do I Choose?

Of course, not every business is the same, so not every business can perform the same assessment. This is where things tend to get confusing. Knowing which of the eight SAQ forms to complete can be a challenge for many merchants. The PCI SSC claims that this is to simplify the process of the assessment, and in many ways it does, but the many different assessments also act as a barrier to some merchants who are less motivated to complete the assessment and remove their PCI compliance fee.

However, once you know which SAQ is right for your business you'll be able to complete it without any problems. Here are the different SAQ types:

SAQ A

The SAQ A is for “card-not-present” merchants, such as ecommerce businesses and mail order businesses that do not directly handle cardholder data. Because these businesses send their cardholder data processing functions to a PCI compliant 3rd party service processor, this assessment is fairly simple. However, it is crucial to ensure that any sensitive cardholder data is either destroyed or protected. SAQ A requires that businesses either destroy or protect any and all cardholder information, maintain records of the 3rd party service that is being used, and ensure that this service is maintaining their PCI compliance.

Click here to view the SAQ A.

SAQ A-EP

The SAQ A-EP is for ecommerce businesses as well, however instead of being for businesses who only use PCI-compliant 3rd party service providers, it is for businesses who only partially outsource their payment processing. Basically, this SAQ is used when cardholder information is either partially or completely collected before the customer is redirected to the payment processor’s site. It is essential to ensure that any systems used to transmit cardholder data are secure and compliant with PCI DSS standards. This SAQ is fairly new and can easily be mistaken for the original SAQ A, so be sure to read the guidelines for both carefully.

Click here to view the SAQ A-EP.

SAQ B: For Merchants That Transmit Cardholder Data

The SAQ B is for any business that processes their payments through imprint-only machines or standalone terminals and do not use electronic cardholder data storage. Since most modern standalone terminals have a number of connection types, such as Bluetooth, Ethernet, etc., the SAQ B requires that businesses complete the SAQ B form in order to be sure that the terminals being used are isolated from surrounding networks and can ensure the safety of sensitive authentication data.

Click here to view the SAQ B.

SAQ B-IP

Like the SAQ B, the SAQ B-IP is not applicable to ecommerce businesses. However, the SAQ B-IP differs slightly from the SAQ B in that it is strictly for businesses that process payments through a standalone PIN Transaction Security (PTS) approved point of interaction (POI) devices with an IP connection to the payment processor. One of the key aspects of this SAQ type is that there is no electronic storage of cardholder information as the POI devices should be isolated from other systems and the only records of cardholder data on paper receipts. It is important to ensure that the devices used meet the compliance requirements set by the respective payment brand.

Click here to view the SAQ B-IP.

SAQ C

The SAQ C is for businesses that receive their payments through an internet connected application. Once again, there is no electronic storage of cardholder data on the part of the business owner, so the form is primarily designed to ensure that the internet connected application that the business is using is, in fact, PCI-compliant. The form is primarily designed to ensure that the internet-connected application that the business is using meets all relevant PCI DSS requirements.

Click here to view the SAQ C.

SAQ C-VT

At first glance, the SAQ C-VT and the SAQ C may seem very similar to each other, and in many ways, they are, however, the SAQ C-VT is somewhat different from the original SAQ C in a subtle but significant way. While both of these SAQ types are used by businesses that process their payments through an internet connected application, the SAQ C-VT applies to businesses that use externally hosted web payment solutions. This SAQ type is most commonly used by businesses that utilize in-house call centers and web-hosted payment entry for their payment processing needs. It is crucial to validate PCI compliance to ensure the security of these externally hosted solutions.

Click here to view the SAQ C-VT.

SAQ P2PE

The SAQ P2PE should be used by businesses that process their card data through PCI SSC-listed, Point-to-Point Encryption (P2P E) transactions. Unlike some of the other SAQ types, the SAQ P2PE can be used by both card present and card-not-present (mail/telephone order only) businesses. This is because the card data is strictly just entered into a P2PE validated hardware device and cardholder data is not stored electronically.

Click here to view the SAQ P2PE.

SAQ D: For Merchants That Store Electronic Cardholder Data

The SAQ D is for any business that does not fit into any of the other SAQ categories. It functions as a sort of catch-all SAQ that covers the whole set of more than 200 requirements as well as the entirety of the PCI DSS. This comprehensive SAQ addresses all relevant PCI DSS requirements for businesses that do not fit into other categories. If you are a service provider, the SAQ D is the only assessment that you may qualify to complete. Although it may seem like completing SAQ D is the easiest route to take, it should be noted that because it is the “catch-all SAQ,” the SAQ D is much more complex than its counterparts and should only be used when it is absolutely necessary.

Click here to view the SAQ D.

Finding and completing the SAQ that is right for your business may seem like a daunting task. However, completing an SAQ not only means you get to waive PCI non-compliance fees from future processing statements, but you’ll also be confident that your customers are not a target for identity theft simply for doing business with you. The fact of the matter is that if your business doesn’t meet the PCI compliance and it experiences a data breach, you could end up being forced to pay significant financial penalties. In addition to the potential financial burden, being PCI non-compliant means that you may run the risk of losing your merchant account, meaning you won’t be able to accept credit cards.

The SAQ, though it may be intimidating at first glance, is a great opportunity for merchants to save money on processing while also ensuring the safety of their consumers’ information.

Protecting Cardholder Data

Protecting cardholder data is a critical aspect of PCI compliance. Cardholder data includes sensitive information such as credit card numbers, expiration dates, and security codes. Ensuring the security of this data is paramount to prevent unauthorized access and data breaches. Businesses must implement robust security measures to protect stored cardholder data, including encryption, access controls, and regular security audits. By doing so, they can safeguard their customers’ information and maintain trust in their payment processing systems.

Importance of Cardholder Data Protection

Cardholder data protection is essential to prevent data breaches and protect sensitive information. Failure to protect cardholder data can result in serious consequences, including fines, reputational damage, and loss of customer trust. PCI compliance requires merchants to implement robust security measures to protect stored cardholder data, including encryption, access controls, and regular security audits. By adhering to these standards, businesses can ensure that they are doing everything possible to protect their customers’ sensitive information and maintain a secure payment processing environment.

Michael Seaman

Michael Seaman

Michael Seaman is the co-founder and CEO of Swipesum. A veteran of the payments industry and former employee at one of the largest payments companies, Michael, along with his brother Stephen, has led Swipesum since its inception in 2016. Swipesum is committed to providing innovative payment solutions and exceptional service to its diverse clientele. In his free time, Michael enjoys traveling with his wife Kelsey and their three children, pole vaulting, and engaging in typical Midwestern dad activities.

Read more

Request a CONSULTATION

Meet one of our payment processing experts to see if working together makes sense.

We will schedule a quick consultation call to go over how you're currently handling merchant services, and present a proposal at no cost.

Man smiling while folding his arms

Swipesum.Insights

What Is the FedNow Controversy?
December 16, 2024
Minutes

SWIPESUM.CONSULTING

We help businesses make intelligent payment decisions.

Learn more about Swipesum

audit Merchant services Statements

Start with a free merchant statement audit and analysis

Schedule an audit

consultation

Connect with a payments expert and get a free initial consultation

Book consultation

By submitting this form you agree to receive information about Swipesum product updates via email as described in our Privacy Policy and Terms & Conditions.