The Self-Assessment Questionnaire (SAQ) is a document that merchants are required to complete every year and submit to their Acquiring Bank. Taking the SAQ with us is the fastest way to find out what you need to do to become PCI compliant, with expert help at every stage along the way.
*New users register first to create a free account. Existing PCICompliance customers should enter their username and password on the enrollment form. A new 'SAQ' tab will be added to the PCICompliance interface
The PCI Data Security Standard Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The questionnaire consists of a set of 12 security requirements sub-divided into 6 broader sections - with each section targeting a specific area of security from the PCI Data Security Standard. All sections must be completed. Completing a Self-Assessment Questionnairehelps online merchants evaluate their security practices and plan compliance with the required PCI Data Security Standard. Further, completing the required SAQ - gives others, such as their Acquiring Bank, the necessary evidence that they are in Compliance with the PCI Data Security Standard.
There are 9 different versions of the self assessment questionnaire. The version that your organization will need to complete depends on how your company handles credit card data - this is called your 'Validation Type'. For some merchants, the appropriate questionnaire is short and simple, while for others it is long and technical. The first five or six questions in the compliance wizard will quickly determine your company's validation type then automatically begin the appropriate questionnaire.
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa.
Merchants have to pass (or be able to say 'Not Applicable') to ALL questions to be considered compliant with the PCI Data Security Standard.
Failing any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be remedied and the questionnaire retaken.
We have simplified this often confusing process with the launch of the PCICompliance PCI ComplianceWizard. The intuitive web-based application guides merchants through every step of thePCI SAQ. Each question is accompanied by expert advice to help the merchant interpret and appropriately answer each question. At the end of the wizard you will find out immediately whether or not your answers qualify your organization as PCI compliant.
Glad you asked. At the end of your questionnaire you will receive:
What if I can’t finish it? Your progress is automatically saved after each question - allowing you to log out and return at a later date to complete the questionnaire. Your free account and responses are retained, giving you an opportunity to revise and modify any of your answers. This also allows you to update, schedule and track the progress of outstanding remediation tasks.Take PCI SAQ Now
REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURES | VERSION 3.2
Click To Download Pdf
|A||Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.|
|B||Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage.Not applicable to e-commerce channels|
|B-IP||Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.|
|C||Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.|
|P2PE-HW||Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.|
|D-MER||All merchants not included in descriptions for the above SAQ types.|
|D-SP||All service providers defined by a payment brand as eligible to complete a SAQ.|
SAMPLE QUESTIONS TAKEN DIRECTLY FROM THE SELF-ASSESSMENT QUESTIONNAIRE YOU WILL TAKE
|Build and maintain a Secure Network|
|1. Install and maintain a firewall configuration to protect data|
|1.1 Are firewall and router configuration standards established to include the following:|
|1.1.1 Is there a formal process for approving and testing all external network connections and changes to the firewall and router configurations
|8.3 Is there a formal process for approving and testing all external network connections and changes to the firewall and router configurations