{"id":494,"date":"2020-04-10T09:47:35","date_gmt":"2020-04-10T09:47:35","guid":{"rendered":"http:\/\/www.pcidssguide.com\/?p=494"},"modified":"2023-10-09T08:42:06","modified_gmt":"2023-10-09T08:42:06","slug":"choosing-the-right-pci-dss-saq","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/choosing-the-right-pci-dss-saq\/","title":{"rendered":"Choosing the Right PCI DSS SAQ"},"content":{"rendered":"\n
The PCI Self-Assessment Questionnaire (PCI SAQ) is a statement by merchants and service providers of PCI compliance. It is also a way to demonstrate that you have taken the necessary security measures to keep and process cardholder data safe in your business.<\/p>\n\n\n\n
PCI Self-Assessment Questionnaires are not just a compliance guide; it is an advanced guide for security. The easiest way to make sure you don’t miss any security requirements is to populate a PCI SAQ.<\/p>\n\n\n\n
See Also: PCI DSS SAQ What to Know, and What to Do<\/a><\/strong><\/p>\n\n\n\n Also, the primary entities that process the transaction do not want to deal with vulnerable businesses. Therefore they generally want each merchant to have a PCI SAQ as proof of payment security.<\/p>\n\n\n\n “Which SAQ is right for me?” When you ask, there are a total of 9 different SAQs that member businesses and service providers can choose. Mainly how you handle credit cards and how you manage cardholder data will decide which SAQ your company should complete.<\/p>\n\n\n\n Each SAQ contains a set of security requirements that businesses must review and comply with. The length of the PCI SAQs and the number of questions vary by type. For example, SAQ A is the shortest with only 24 questions. Besides, the longest one is SAQ D, with 328 questions.<\/p>\n\n\n\n For example, if you do not have a store and all your products are sold online by a third party, it is possible to apply to SAQ A or SAQ A-EP. If you are an online retailer that accepts credit cards and you also store credit card information for your customers, you should probably contact PCI SAQ D.<\/p>\n\n\n\n There are 8 PCI SAQs for merchants and one PCI SAQ for service providers. The large number of SAQs makes it a little challenging to choose the right one. Choosing the wrong SAQ can void your compliance and expose your organization to more significant risks of payment card data breaches.<\/p>\n\n\n\n So let’s try to simplify this a little bit with step-by-step instructions. First, let’s continue with an overview of all SAQ options.<\/p>\n\n\n\n Each PCI SAQ contains a list of security requirements that will be checked and enforced by organizations. Since there are nine types of SAQ in total, it may take some time to understand and learn all of them. That’s why we created a table of SAQ options to summarize and simplify the SAQ types:<\/p>\n\n\n\n After reviewing the chart, we will give some suggestions and advice on how to use its output correctly.<\/p>\n\n\n\n Below are a visual guide and flowchart for choosing which SAQ type will best apply to your environment. Proceed by answering yes or no to the questions in the chart. Finally, the SAQ option that will appear according to your answers will be the most appropriate SAQ for your environment.<\/p>\n\n\nWhich PCI SAQ is right for me?<\/strong><\/h2>\n\n\n\n
SAQ Type<\/strong><\/td> Eligibility Criteria<\/strong><\/td> Card Payment Acceptance Channels<\/strong><\/td> Difficulty<\/strong><\/td><\/tr> SAQ A<\/a><\/strong><\/td> Card-not-present Merchants, All card holder data functions fully outsourced.<\/td> Card-not-present only: Mail order \/ Telephone order (MOTO) and e-commerce<\/td> Easy (24 Questions)<\/td><\/tr> SAQ A-EP<\/a><\/strong><\/td> Partially outsourced e-commerce retailers for the processing
of payments via a third party platform.<\/td>Card-not-present only: e-commerce<\/td> Difficult (192 Questions)<\/td><\/tr> SAQ B<\/a><\/strong><\/td> Merchants using only: Imprint machines and electronic point-of-sale (POS) device.<\/td> Card-present and Card-not-present: brick and mortar and MOTO<\/td> Easy (41 Questions)<\/td><\/tr> SAQ B-IP<\/a><\/strong><\/td> Merchants using only standalone PIN Transaction Security (PTS) devices approved payment terminals with an IP connection.<\/td> Card-present and Card-not-present: brick and mortar and MOTO<\/td> Average (87 Questions)<\/td><\/tr> SAQ C<\/a><\/strong><\/td> Merchants with payment application systems connected to internet<\/td> Card-present and Card-not-present: brick and mortar and MOTO<\/td> Difficult (161 Questions)<\/td><\/tr> SAQ C-VT<\/a><\/strong><\/td> Merchants with web based virtual terminals.<\/td> Card-present and Card-not-present: brick and mortar and MOTO<\/td> Average (84 Questions)<\/td><\/tr> SAQ P2PE<\/a><\/strong><\/td> Merchants using only hardware payment terminals in a PCI listed P2PE solution.<\/td> Card-present and Card-not-present: brick and mortar and MOTO<\/td> Easy (34 Questions)<\/td><\/tr> SAQ D Merchant and Service Provider<\/a><\/strong><\/td> All other SAQ Eligible merchants and SAQ Eligible service providers<\/td> Card-present and Card-not-present: brick and mortar, MOTO and e-commerce<\/td> Extreme (328 questions for merchants; 370 questions for service providers)<\/td><\/tr><\/tbody><\/table>