What is a PCI Self-Assessment Questionnaire?

Merchants who accept credit cards are no strangers to fees. Network fees, assessment fees, processor fees -- the list goes on and on. Among this laundry list of fees is the PCI Compliance fee, which is charged when a company has not provided proof to their processor that they payments system is compliant with the Payment Card Industry Data Security Standard (PCI DSS for short).

Many merchants pay this fee without realizing that it’s one of the simplest fees to remove from their monthly statement. All it takes is looking at your payments set-up and filling out a Self-Assessment Questionnaire (SAQ). If you submit that SAQ to your processor, you can eliminate that fee from all future statements.

What is a Self-Assessment Questionnaire?

Self-Assessment Questionnaires are simply the PCI Security Standards Council’s (PCI SSC) method of determining whether or not a business is meeting the requirements of the PCI DSS. Ultimately, Self-Assessment Questionnaires function as a risk assessment tool for large credit card companies.

For a merchant, the SAQ is just a series of questions about their payments setup. Of course, these questions center around how consumer information is protected. You can expect to see questions like the following:

• What methods are used to accept payments? (Card swipes, online order, telephone order, etc.)
• What industry you operate in?
• What payments equipment do you use?
• Do any third parties have access to your payments systems (such as a point-of-sale software)?
• How often do you update your payments software?
• Are all payments systems password protected?

In most cases, businesses are already PCI compliant just by nature of the equipment they use, so you shouldn’t need to make many major changes to meet the requirements of the SAQ.

Types of Self-Assessment Questionnaires: Which Do I Choose?

Of course, not every business is the same, so not every business can perform the same assessment. This is where things tend to get confusing. Knowing which of the eight SAQ forms to complete can be a challenge for many merchants. The PCI SSC claims that this is to simplify the process of the assessment, and in many ways it does, but the many different assessments also act as a barrier to some merchants who are less motivated to complete the assessment and remove their PCI compliance fee.

However, once you know which SAQ is right for your business you’ll be able to complete it without any problems. Here are the different SAQ types:

SAQ A

The SAQ A is for “card-not-present” merchants, such as ecommerce businesses and mail order businesses that do not directly handle cardholder data. Because these businesses send their cardholder data processing functions to a PCI compliant 3rd party service processor, this assessment is fairly simple. SAQ A requires that businesses either destroy or protect any and all cardholder information, maintain records of the 3rd party service that is being used, and ensure that this service is maintaining their PCI compliance.

Click here to view the SAQ A.

SAQ A-EP

The SAQ A-EP is for ecommerce businesses as well, however instead of being for businesses who only use PCI-compliant 3rd party service providers, it is for businesses who only partially outsource their payment processing. Basically, this SAQ is used when cardholder information is either partially or completely collected before the customer is redirected the payment processor’s site. This SAQ is fairly new and can easily be mistaken for the original SAQ A, so be sure to read the guidelines for both carefully.

Click here to view the SAQ A-EP.

SAQ B

The SAQ B is for any business that processes their payments through imprint-only machines or standalone terminals and do not use electronic cardholder data storage. Since most modern standalone terminals have a number of connection types, such as Bluetooth, Ethernet, etc., the SAQ B requires that businesses complete the SAQ B form in order to be sure that the terminals being used are isolated from surrounding networks and can ensure the safety of cardholder data.

Click here to view the SAQ B.

SAQ B-IP

Like the SAQ B, the SAQ B-IP is not applicable to ecommerce businesses. However, the SAQ B-IP differs slightly from the SAQ B in that it is strictly for businesses that process payments through a standalone PIN Transaction Security (PTS) approved point of interaction (POI) devices with an IP connection to the payment processor. One of the key aspects of this SAQ type is that there is no electronic storage of cardholder information as the POI devices should be isolated from other systems and the only records of cardholder data on paper receipts.

Click here to view the SAQ B-IP.

SAQ C

The SAQ C is for businesses that receive their payments through an internet connected application. Once again, there is no electronic storage of cardholder data on the part of the business owner, so the form is primarily designed to ensure that the internet connected application that the business is using is, in fact, PCI-compliant.

Click here to view the SAQ C.

SAQ C-VT

At first glance, the SAQ C-VT and the SAQ C may seem very similar to each other, and in many ways, they are, however, the SAQ C-VT is somewhat different from the original SAQ C in a subtle but significant way. While both of these SAQ types are used by businesses that process their payments through an internet connected application, the SAQ C-VT applies to businesses that use externally hosted web payment solutions. This SAQ type is most commonly used by businesses that utilize in-house call centers and web-hosted payment entry for their payment processing needs.

Click here to view the SAQ C-VT.

SAQ P2PE

The SAQ P2PE should be used by businesses that process their card data through PCI SSC-listed, Point-to-Point Encryption (P2P E) transactions. Unlike some of the other SAQ types, the SAQ P2PE can be used by both card present and card-not-present (mail/telephone order only) businesses. This is because the card data is strictly just entered into a P2PE validated hardware device and cardholder data is not stored electronically.

Click here to view the SAQ P2PE.

SAQ D

The SAQ D is for any business that does not fit into any of the other SAQ categories. It functions as a sort of catch-all SAQ that covers the whole set of more than 200 requirements as well as the entirety of the PCI DSS. If you are a service provider, the SAQ D is the only assessment that you may qualify to complete. Although it may seem like completing SAQ D is the easiest route to take, it should be noted that because it is the “catch-all SAQ,” the SAQ D is much more complex than its counterparts and should only be used when it is absolutely necessary.

Click here to view the SAQ D.

Finding and completing the SAQ that is right for your business may seem like a daunting task. However, completing an SAQ not only means you get to waive PCI non-compliance fees from future processing statements, but you’ll also be confident that your customers are not a target for identity theft simply for doing business with you. The fact of the matter is that if your business doesn’t meet the PCI compliance and it experiences a data breach, you could end up being forced to pay significant financial penalties. In addition to the potential financial burden, being PCI non-compliant means that you may run the risk of losing your merchant account, meaning you won’t be able to accept credit cards.

The SAQ, though it may be intimidating at first glance, is a great opportunity for merchants to save money on processing while also ensuring the safety of their consumers’ information.