SAQs and the PCI

And just like that, self-assessment is possible

The Payment Card Industry developed the PCI Data Security Standard (PCI DSS) in 2004 with the objective of protecting cardholder data and securing the rising tide of credit card transactions.

To ensure this protection, merchants who accept payments by credit card are required to comply with the requirements of the Data Security Standard, which is enforced by the primary payment card brands and banks that process card transactions.

Flexible Compliance Process

A good degree of flexibility has been built into the process of evaluating a merchant’s security posture in order to provide options for proving compliance with the PCI DSS, ranging from third-party assessments to merchant self-assessments.

The method recommended by the PCI Council for conducting a proper assessment is to employ the services of a Qualified Security Assessor (QSA). A QSA is a firm specializing in data security, cybersecurity, or security compliance that has been qualified by the PCI Council to perform onsite PCI Data Security Standard assessments. QSAs are required to be re-certified every year and are listed on the PCI website. 24By7Security is a Qualified Security Assessor that has assisted numerous merchants and service providers in achieving PCI DSS compliance.

The PCI Security Standards Council also offers multiple options for merchant self-assessment. This blog explores the self-assessment options available through eight Self-Assessment Questionnaires or SAQs.

Card Transaction Volumes Today

Credit card users generated 39.6 billion purchase transactions in 2019 across more than 374 million cardholder accounts in the U.S., including Visa, Mastercard, American Express, and Discover credit cards.

A Pew Research Center survey in roughly the same timeframe indicated that cash as a payment vehicle is steadily being replaced by credit cards in Americans’ wallets and digital payment apps on their smartphones.

Individual names, credit card numbers, security codes, and other personal cardholder information are transmitted over networks in vast numbers after being scanned and transmitted by all kinds of devices with varying degrees of security.

Not only is merchant compliance with PCI DSS required by processing banks, but compliance is aligned with best security practices and a good idea in today’s hyperactive credit card environment. And there are a number of benefits to be enjoyed by merchants who comply with the PCI Data Security Standard as well.

Before You Get Started

Self-assessment may not be an option for every merchant who accepts credit card payments for purchases. This is why merchants should contact their processing banks or payment card brands to confirm what type of security assessment and proof of compliance is acceptable to, or required by, that entity.

Individual payment card brands (e.g., Visa, Amex, and others) have the authority to modify compliance requirements, and are also responsible for compliance enforcement, along with the merchant banks who process card transactions.

It’s best to know exactly what their requirements are before you get started. This important first step can prevent a merchant from making the wrong decision and a costly mistake.

Self-Assessment Questionnaires (SAQs)

For merchants who are eligible to evaluate and document their own compliance, Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council to enable them to measure and assess their compliance with the PCI Data Security Standard, which consists of 12 security requirements.

Two terms are helpful for understanding in reviewing the SAQs. “Card-present” refers to merchants in brick-and-mortar sales environments or stores where a physical card is presented to be scanned or otherwise accepted. “Card-not-present” refers to e-commerce merchants who sell online through websites or merchants who sell or and take orders by mail or telephone, where a physical card is not able to be presented.

The Seven SAQs

The appropriate SAQ for a merchant to use depends on several specifications, as described in the seven most common SAQs below.

• SAQ A – Applies to card-not-present merchants who:

  • Are either e-commerce merchants, mail-order merchants, or telephone-order merchants (card-not-present),
  • Have completely outsourced cardholder data functions to validated third parties,
  • Do not store, process, or transmit any cardholder data in electronic format on their systems or premises, and
  • Retain only paper reports or receipts with cardholder data.

• SAQ A-EP – Applies to card-not-present merchants who:

  

  • Have e-commerce websites which (1) do not receive cardholder data, but (2) do affect the security of the payment transaction, and/or affect the integrity of the webpage that accepts the consumer’s cardholder data,
  • Partially outsource their e-commerce payment channel to PCI DSS validated third parties, and
  • Do not electronically store, process, or transmit any cardholder data on their systems or premises.

• SAQ B – Applies to merchants who: 

  • Process cardholder data only via imprint machines or via standalone, dial-out terminals,
  • Are either brick-and-mortar (card-present) or mail and/or telephone order (card-not-present) merchants, and
  • Do not store cardholder data on any electronic device or computer system.

• SAQ B-IP – Applies to merchants who:

• • Process cardholder data only via standalone, PTS-approved point-of-interaction (POI) devices that have an IP connection to the payment processor,
  • Are either brick-and-mortar (card-present) or mail and/or telephone order (card-not-present) merchants, and
  • Do not store cardholder data on any electronic device or computer system.
    

• SAQ C – Applies to merchants who:

  • Have payment application systems (for example, point-of-sale systems) that are connected to the Internet (for example, via DSL, cable modem, or other means),
  • Process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet,
  • Are either brick-and-mortar (card-present) or mail and/or telephone order (card-not-present) merchants, and
  • Do not store cardholder data on any electronic device or computer system.

• SAQ C-VT – Applies to merchants who:

• • Process cardholder data only via isolated virtual payment terminals on a personal computer securely connected to the Internet,
  • Manually enter payment card data, a single transaction at a time, via a keyboard, into an Internet-based virtual terminal solution,
  • Are either brick-and-mortar (card-present) or mail and/or telephone order (card-not-present) merchants, and
  • Do not store cardholder data on any electronic device or computer system.
  • Note: These virtual terminals are connected to the Internet to access a third party who hosts the virtual terminal payment-processing function. This third party may be a processor, acquirer, or other third-party service providers who store, process, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions. A virtual payment terminal is a web-browser-based access to an acquirer, processor, or third-party service provider website to authorize payment card transactions. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.

• SAQ P2PE – Applies to merchants who:

• • Only process cardholder data via payment terminals that are components of a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution,
  • Only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution,
  • Do not have access to clear-text account data on any computer system,
  • Are either brick-and-mortar (card-present) or mail and/or telephone order (card-not-present) merchants, and
  • Do not store cardholder data on any electronic device or computer system.
  • Note: As an example, a telephone-order merchant could be eligible for this SAQ if they receive cardholder data over the phone, and then key it directly into and only into a P2PE validated hardware device.

The Other SAQ

The eighth Self-Assessment Questionnaire is known as SAQ D. There is an SAQ D for merchants, and an SAQ D for service providers. 

• SAQ D for Merchants – Applies to all other merchants who are eligible to self-assess but do not meet the criteria for any other SAQ type.

• Examples of merchants who would use SAQ D include, but are not limited to:
  • E-commerce merchants who accept cardholder data on their websites.
  • Merchants who store cardholder data electronically.
  • Merchants who do not store cardholder data electronically, but who do not meet the criteria of another SAQ type.
  • Merchants with environments that might meet the criteria of another SAQ type, but who have additional PCI DSS requirements that apply to their environments.

• SAQ D for Service Providers – Applies to all service providers who are defined by their payment brand as being eligible for self-assessment.

While many merchants and service providers completing SAQ D will need to validate compliance with all 12 PCI DSS requirements, some with highly specific business models may find that certain requirements do not apply.

For example, a merchant who does not use wireless technology is not expected to validate compliance with PCI DSS requirements governing the use of wireless technology. The Self-Assessment Questionnaire Type D provides guidance about the exclusion of other specific requirements as well.

Now That You’ve Identified Your SAQ

Now that you’ve verified your eligibility to self-assess compliance with the PCI Data Security Standard, and now that you’ve identified the specific Self-Assessment Questionnaire that applies to your payment card environment, what next?

The PCI Security Standards Council website is the next logical stop. Here you can download the appropriate SAQ document from the Document Library. The SAQ document includes an Attestation of Compliance section which you’ll complete to attest to your organization’s compliance status once your self-assessment has been performed. In fact, the document is formally titled Self-Assessment Questionnaire and Attestation of Compliance.

This questionnaire includes a series of Yes/No questions for each PCI Data Security Standard requirement that applies to your business environment. In cases where your answer is No, you may be requested to specify a date by which you will comply with that requirement as well as a brief action plan for achieving compliance. Hence, it may not be necessary to be fully compliant at a given point in time—as long as you have a clear plan to remedy the shortfall.

Following are additional instructions, taken from SAQ A specifically to serve as an example.

1. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
2. Assess your environment for compliance with the applicable PCI DSS requirements.
3. Complete all sections of this document:

• Section 1 (Parts 1 & 2) – Assessment Information and Executive Summary
• Section 2 – PCI DSS Self-Assessment Questionnaire
• Section 3 (Parts 3 & 4) – Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)

Finally, you will submit the Self-Assessment Questionnaire and Attestation of Compliance, along with any other requested documentation, to your merchant bank or payment card brand as per their specific instructions.

Additional requested documentation could include, for example, external vulnerability scans or penetration testing performed by an approved scanning vendor who has the tools to verify compliance with PCI DSS external scanning requirements.

Learn more about the scoping and assessing activities required in Steps 1 and 2 in this PCI DSS blog.

Summary

Credit card data flies through the Internet every second of every day, captured and transmitted by credit card scanners, launched by smartphones, and collected by online payment forms. Securing data at every point in the process is not only good business but also a requirement. 

Merchant compliance with the PCI Data Security Standard can be achieved through onsite assessments by Qualified Security Assessors, the PCI Council’s preferred method, or through a self-assessment process. Eight Self-Assessment Questionnaires (SAQs) are available to merchants who have confirmed with their processing banks or payment card brands that they are eligible to self-assess.

The PCI Security Standards Council maintains a website that provides a wide array of resources for industry members, including the eight SAQs outlined in this blog. The Council encourages members to effectively protect cardholder data by maintaining robust security programs that comply with the Data Security Standard.