{"id":494,"date":"2020-04-10T09:47:35","date_gmt":"2020-04-10T09:47:35","guid":{"rendered":"http:\/\/www.pcidssguide.com\/?p=494"},"modified":"2023-10-09T08:42:06","modified_gmt":"2023-10-09T08:42:06","slug":"choosing-the-right-pci-dss-saq","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/choosing-the-right-pci-dss-saq\/","title":{"rendered":"Choosing the Right PCI DSS SAQ"},"content":{"rendered":"\n

The PCI Self-Assessment Questionnaire (PCI SAQ) is a statement by merchants and service providers of PCI compliance. It is also a way to demonstrate that you have taken the necessary security measures to keep and process cardholder data safe in your business.<\/p>\n\n\n\n

PCI Self-Assessment Questionnaires are not just a compliance guide; it is an advanced guide for security. The easiest way to make sure you don’t miss any security requirements is to populate a PCI SAQ.<\/p>\n\n\n\n

See Also: PCI DSS SAQ What to Know, and What to Do<\/a><\/strong><\/p>\n\n\n\n

Also, the primary entities that process the transaction do not want to deal with vulnerable businesses. Therefore they generally want each merchant to have a PCI SAQ as proof of payment security.<\/p>\n\n\n\n

Which PCI SAQ is right for me?<\/strong><\/h2>\n\n\n\n

“Which SAQ is right for me?” When you ask, there are a total of 9 different SAQs that member businesses and service providers can choose. Mainly how you handle credit cards and how you manage cardholder data will decide which SAQ your company should complete.<\/p>\n\n\n\n

Each SAQ contains a set of security requirements that businesses must review and comply with. The length of the PCI SAQs and the number of questions vary by type. For example, SAQ A is the shortest with only 24 questions. Besides, the longest one is SAQ D, with 328 questions.<\/p>\n\n\n\n

For example, if you do not have a store and all your products are sold online by a third party, it is possible to apply to SAQ A or SAQ A-EP. If you are an online retailer that accepts credit cards and you also store credit card information for your customers, you should probably contact PCI SAQ D.<\/p>\n\n\n\n

There are 8 PCI SAQs for merchants and one PCI SAQ for service providers. The large number of SAQs makes it a little challenging to choose the right one. Choosing the wrong SAQ can void your compliance and expose your organization to more significant risks of payment card data breaches.<\/p>\n\n\n\n

So let’s try to simplify this a little bit with step-by-step instructions. First, let’s continue with an overview of all SAQ options.<\/p>\n\n\n\n

Each PCI SAQ contains a list of security requirements that will be checked and enforced by organizations. Since there are nine types of SAQ in total, it may take some time to understand and learn all of them. That’s why we created a table of SAQ options to summarize and simplify the SAQ types:<\/p>\n\n\n\n

After reviewing the chart, we will give some suggestions and advice on how to use its output correctly.<\/p>\n\n\n\n

SAQ Type<\/strong><\/td>Eligibility Criteria<\/strong><\/td>Card Payment Acceptance Channels<\/strong><\/td>Difficulty<\/strong><\/td><\/tr>
SAQ A<\/a><\/strong><\/td>Card-not-present Merchants, All card holder data functions fully outsourced.<\/td>Card-not-present only: Mail order \/ Telephone order (MOTO) and e-commerce<\/td>Easy (24 Questions)<\/td><\/tr>
SAQ A-EP<\/a><\/strong><\/td>Partially outsourced e-commerce retailers for the processing
of payments via a third party platform.<\/td>		Card-not-present only: e-commerce<\/td>Difficult (192 Questions)<\/td><\/tr>
SAQ B<\/a><\/strong><\/td>Merchants using only: Imprint machines and electronic point-of-sale (POS) device.<\/td>Card-present and Card-not-present: brick and mortar and MOTO<\/td>Easy (41 Questions)<\/td><\/tr>
SAQ B-IP<\/a><\/strong><\/td>Merchants using only standalone PIN Transaction Security (PTS) devices approved payment terminals with an IP connection.<\/td>Card-present and Card-not-present: brick and mortar and MOTO<\/td>Average (87 Questions)<\/td><\/tr>
SAQ C<\/a><\/strong><\/td>Merchants with payment application systems connected to internet<\/td>Card-present and Card-not-present: brick and mortar and MOTO<\/td>Difficult (161 Questions)<\/td><\/tr>
SAQ C-VT<\/a><\/strong><\/td>Merchants with web based virtual terminals.<\/td>Card-present and Card-not-present: brick and mortar and MOTO<\/td>Average (84 Questions)<\/td><\/tr>
SAQ P2PE<\/a><\/strong><\/td>Merchants using only hardware payment terminals in a PCI listed P2PE solution.<\/td>Card-present and Card-not-present: brick and mortar and MOTO<\/td>Easy (34 Questions)<\/td><\/tr>
SAQ D Merchant and Service Provider<\/a><\/strong><\/td>All other SAQ Eligible merchants and SAQ Eligible service providers<\/td>Card-present and Card-not-present: brick and mortar, MOTO and e-commerce<\/td>Extreme (328 questions for merchants; 370 questions for service providers)<\/td><\/tr><\/tbody><\/table>
PCI DSS 3.2.1 SAQ types<\/figcaption><\/figure>\n\n\n\n

Below are a visual guide and flowchart for choosing which SAQ type will best apply to your environment. Proceed by answering yes or no to the questions in the chart. Finally, the SAQ option that will appear according to your answers will be the most appropriate SAQ for your environment.<\/p>\n\n\n

\n
\"how
how to choose right pci saq<\/figcaption><\/figure><\/div>\n\n\n

Suppose you are a service provider and qualify for SAQ verification. In that case, your choice is easy because only service providers can use SAQ D. It should not be forgotten that an institution can be both a merchant and service provider. Therefore, it is not unusual to be a service provider that provides transaction processing services to other merchants and is also a merchant.<\/p>\n\n\n\n

If you are a merchant and qualified to validate SAQ, the relevant SAQ form must be listed separately for each card acceptance channel you have. Card acceptance channels can be listed as card transactions (physically), transactions without MOTO card (mail order\/phone order), or e-commerce systems.<\/p>\n\n\n\n

The first question you have to answer is whether you store cardholder data electronically, including old data. If your answer is yes, then you don’t need to spend time searching the various SAQ forms; SAQ D will be suitable for you.<\/p>\n\n\n\n

See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?<\/a><\/strong><\/p>\n\n\n\n

The next step is to evaluate your company requirements for processing cardholder data in your environment. SAQ D is the most complex SAQ option. If you can prevent the storage of cardholder data in your environment, you can significantly reduce the requirements you have to complete by undertaking one of the other SAQ options.<\/p>\n\n\n\n

It would be best if you considered each card payment channel separately. Let’s start with e-commerce first. If you are performing your transactions through e-commerce, you can apply for SAQ A, SAQ A-EP, or SAQ D only.<\/p>\n\n\n\n

You should read the eligibility requirements carefully to decide on the SAQ form that suits your environment. Generally, e-commerce vendors using URL Redirection or iFrame approaches can apply for SAQ A.<\/p>\n\n\n\n

E-commerce merchants using the HTTP Post Method (DPM) or JavaScript Form will be eligible for SAQ A-EP. And e-commerce vendors using an API method or some other method must comply with SAQ D.<\/p>\n\n\n\n

SAQ options that may be suitable for MOTO (Mail Order \/ Telephone Order) transactions are as follows:<\/p>\n\n\n\n