Completing a PCI Self-Assessment Questionnaire (PCI SAQ) is the first step a merchant can take to determine if their business is in compliance with the Payment Card Industry Data Security Standards (PCI DSS), otherwise known as PCI compliance.
The PCI DSS establishes a common set of industry tools and measurements to help ensure the secure handling of sensitive information pertaining to credit and debit cards, EBTs and other forms of electronic payment. It also provides a framework for a strong account data security process that prevents, detects, protects against and reacts to security incidents.
It is critical that all organizations that accept credit card payments and store, process or transmit cardholder data be PCI compliant in order to reduce the risk of compromise and mitigate its impacts if it does occur. Merchant Express® takes this responsibility very seriously and stands ready to help its merchants achieve and maintain PCI compliance, beginning with completing a PCI SAQ.
The PCI Security Standards Council (PCI SSC) — the party responsible for the development, management, education and awareness of the PCI Data Security Standards — defines the PCI SAQ as a validation tool for eligible merchants and service providers who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). Credit card processors may require their merchant account holders to share their PCI SAQ with them; ask your processor for details regarding your particular PCI DSS validation requirements.
There are two components to a PCI SAQ:
- A set of yes-or-no questions corresponding to the PCI DSS requirements, which are appropriate to service providers and merchants.
- An Attestation of Compliance, which is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.
There are five SAQ categories, as outlined below:
- SAQ A merchants do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises. They validate compliance by completing SAQ A and the associated Attestation of Compliance. This option does not apply to merchants in a face-to-face point-of-sale (POS) environment.
- SAQ B merchants only process cardholder data via imprint machines or standalone, dial-out terminals. They may be brick-and-mortar (card-present), e-commerce, mail/telephone order (MOTO) or card-not-present (CNP) merchants. These merchants validate compliance by completing SAQ B and the associated Attestation of Compliance.
- SAQ C-VT is applicable to merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet to access a third party that hosts the payment processing function and do not store cardholder data on any computer system. They may be brick-and-mortar or MOTO merchants, and they validate compliance by completing SAQ C-VT and the associated Attestation of Compliance. This option does not apply to e-commerce merchants.
- SAQ C merchants process cardholder data via POS machines or other payment application systems connected to the Internet and do not store cardholder data on any computer system. They may be either brick-and-mortar, e-commerce or MOTO merchants. SAQ C merchants validate compliance by completing SAQ C and the associated Attestation of Compliance.
- SAQ D applies to all service providers defined by a payment brand as eligible to complete an SAQ, as well as SAQ-eligible merchants who do not meet the descriptions of SAQ types A through C above. SAQ D service providers and merchants validate compliance by completing SAQ D and the associated Attestation of Compliance.
For more information about PCI compliance and your PCI SAQ requirement, talk to your Merchant Express representative.