PCI SAQ (Self Assessment Questionnaire) – What Is It?

The PCI compliance Self Assessment Questionnaire needs to be completed by merchants every 12 months, and is the most comprehensive way to check if your business is PCI compliant.

It’s likely that in recent months you’ve heard of a business suffering a breach of its customers payment card data. It occurs so often now, we all hear about it, and forget about the event quickly.

A 2015 study by Javelin Strategy & Research, found that US$16 billion was stolen from 12.7 million consumers in 2014 in the United States alone, that’s 1 in 100 people. There was a new identity fraud victim every two seconds in 2014.

There is just one set of recognized standards to protect your business from these attacks: the Payment Card Data Security Standard (PCI DSS, known as PCI Compliance).

Not being PCI compliant doesn’t only betray your customers’ trust, but breaches will subject your business to steep fines and expenses.

Keeping your business in-line, however, is easier than you think.

How to complete the Self-Assessment Questionnaire (SAQ) – To become PCI compliant, your business needs to meet the standards set according to the security category it falls into. Most businesses (likely yours too) belong to category 3 or 4, which involve the same procedures: Fill in a Self-Assessment Questionnaire (SAQ) and at minimum, a Quarterly PCI Compliance scan, run by an Approved Scanning Vendor (ASV).

The Payment Card Industry Data Security Standard (PCI DSS) defines the SAQ as “a validation tool to assist merchants and service providers in demonstrating their compliance.”

The SAQ can be completed by a person in your business (possibly yourself), and is the first step on the path to becoming PCI compliant. The Self-Assessment Questionnaire, as the name implies, is completed by a representative officer from your business, this could be the IT Manager, the CFO, or anyone with knowledge of how the business works.

The First Step to Completing a SAQ

The first step is to identify the SAQ category your business falls under – which varies depending on how you process, store and transmit customers’ payment card data – that applies to your business.

SAQ A: Card not present merchants (e-commerce or mail/telephone-order) with all cardholder data functions outsourced.

SAQ B: Imprint-only merchants with no electronic card holder data storage, or, Stand-alone dial-up terminal merchants with no electronic card holder data storage.

SAQ C: Merchants with payment systems connected to the Internet and no electronic cardholder data storage.

SAQ D: All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ D.

There are more, but this covers the basics.

Once you have identified the category applicable to your business you must then fill in the relevant SAQ and Attestation of Compliance (AoC) PDF form.

Use the SAQ form as a guide to evaluate your business’s security protocols. Any potential risks in your business’s payment system highlighted by the SAQ must be addressed and then the questionnaire retaken, until you can answer every question with ‘pass’ or ‘not applicable’, to achieve compliance with the required PCI Data Security Standard.

The final step to becoming PCI Compliant

Once your business satisfies all the requirements outlined in the SAQ, the next step is to undergo a PCI Compliance scan on your website / payment system.