How To Choose The Right PCI SAQ For Your Organization?

Written By: Eishu Richhariya and Neelabh Ghosh ?

The surge in ransomware attacks, with an average total cost of $5.13 million in 2023 (a 13% increase from 2022), underscores the critical need for organizations to prioritize robust security measures. One crucial defense line is ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS). However, choosing the right PCI SAQ (Self-Assessment Questionnaire) is vital for achieving PCI compliance.

What is PCI SAQ?

The PCI Self-Assessment Questionnaire (SAQ) is a validation tool designed to help merchants and service providers assess compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Each SAQ has a “Before You Begin” section that describes the cardholder environment to be addressed. Following that, a series of “yes” or “no” questions about various aspects of credit card processing operations and security measures, such as system configuration, network security, and access control.

There are ten PCI SAQs. Choosing the right PCI SAQ among the ten available options (one for service providers and nine for merchants) might be challenging. The selection process considers factors such as credit card transaction volume and cardholder data management.

Let’s understand how to choose the right SAQ for your business.

Note: Another essential part of SAQs is the Attestation of Compliance (AOC), a formal document detailing compliance with PCI DSS rules.

Understanding The Business Model – 4 PCI Levels

1. PCI Level 1

• Applies to merchants processing six million card transactions annually
• Requires an annual onsite audit conducted by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)
• Mandatory annual penetration tests and quarterly network scans by an approved vendor
• Mandatory submission of an Attestation of Compliance (AOC) form

2. PCI Level 2

• Applies to businesses processing between one million and six million transactions annually
• Requires completing a Self-Assessment Questionnaire (SAQ) and Quarterly Network Scans
• Onsite audits may be required in case of a data breach or as determined by the acquiring bank
• Mandatory annual penetration tests

3. PCI Level 3

• Applies to merchants processing between 20,000 to 1 million transactions annually
• Requires completing a Self-Assessment Questionnaire (SAQ) and Quarterly Network Scans, similar to Level 2
• Penetration tests are not mandatory but recommended

4. PCI Level 4

• Applies to businesses with the lowest transaction volumes, under 20,000 transactions annually
• Mandatory completion of SAQ, quarterly network scans, and submission of an AOC

Which Type of SAQ is Right For Your Business?

1. SAQ A

Businesses that only maintain paper records containing account data and outsource card data functions might consider SAQ A. This SAQ allows them to function as mail-order or phone-order businesses without handling electronic account information. It does not apply to face-to-face channels or service providers. It is just for card-not-present transactions.

Eligibility Requirements:

• Solely accepting transactions where a card is not physically present
• Outsourcing complete account data processing to a 3rd party compliant with PCI DSS
• Entire reliance on the external entity for handling account data management
• Verify the compliance status of the 3rd party service provider
• Retaining any account information acquired on paper rather than electronically

2. SAQ A-EP

Card details aren’t stored electronically for online retailers that do not process account data digitally and entrust part of their payment administration to PCI DSS-compliant 3rd parties. Hence, SAQ A-EP significantly impacts transaction security. It explicitly targets e-commerce channels, excluding service providers.

Eligibility Requirements

• Solely accepting e-commerce transactions
• Engaging a 3rd party compliant with PCI DSS to manage account data
• Overseeing consumer redirection to a compliant 3rd party
• Utilizing payment page elements originating from their website or a compliant 3rd party
• Saving any account information on paper instead of acquiring it electronically

3. SAQ B

SAQ B is explicitly designed for retailers operating in traditional stores or handling payments via mail/telephone orders. It’s also tailored for those utilizing imprint machines or standalone dial-out terminals for payment processing. The only exception involves e-commerce channels and service providers. As long as electronically stored account data is not involved, SAQ B ensures PCI DSS compliance.

Eligibility Requirements:

• The exclusive use of dial-out terminals or imprint machines
• These devices remain disconnected from the internet or other systems
• Account data is not stored electronically
• Retention of any account data received in paper format

4. SAQ B-IP

Brick-and-mortar stores and mail-order/ phone-order businesses using standalone, PCI-approved point-of-sale terminals (excluding SCRs and SCRPs)can leverage SAQ B-IP for streamlined PCI compliance. This self-assessment questionnaire caters specifically to their needs, focusing on security for internet-connected terminals without cardholder data storage. Unlike broader SAQs, B-IP simplifies the process while ensuring robust security measures.

Eligibility Requirements:

• Utilizing PTS POI devices that are validated and stand-alone, connected via IP to the payment processor
• The devices are not connected to any other systems
• Account data is not stored electronically
• Transmission of account data occurs exclusively between the PTS POI device and the payment processor
• Maintaining any account information on paper

5. SAQ C

SAQ C is designated for merchants who do not retain electronic account data and who operate using point-of-sale (POS) systems or other internet-connected payment application systems. It’s not intended for service providers or e-commerce outlets.

Eligibility Requirements:

• An internet connection and a payment application system must be on the same device or local area network (LAN)
• Network segmentation is necessary to isolate the device/LAN from other systems
• The physical location of the POS environment must be exclusive to one store and cannot be connected to other buildings or places
• Account data retained must not be received online. It must be in paper format, such as printed reports or receipts

6. SAQ C-VT

SAQ C-VT is intended for merchants who process cardholder data through Virtual Payment Terminal systems without the need to read data from a real card.

Eligibility Requirements:

• Payment entry is done manually using a single Internet-connected device, regardless of whether the merchant operates physically, handles mail orders, or accepts phone orders
• Account information is not retained on computer systems
• Every payment transaction is processed by a 3rd party service provider compliant with PCI DSS and accessed through an internet-connected web browser
• No hardware is used to record or store account information
• The device has no software installed for storing account data
• No account data is received, transmitted, or stored electronically
• Any account information retained is maintained in paper records, not electronically

7. SAQ P2PE

SAQ P2PE is a self-assessment questionnaire designed for businesses that utilize PCI-listed P2PE, a specific type of payment security technology. With P2PE, sensitive card data, starting from the entry point (e.g., magnetic stripe read, chip read, or keystroke entry), is encrypted until it reaches the secure environment of the payment processor, where it is decrypted for processing. Merchants adhering to SAQ P2PE standards do not handle unencrypted account data on any computer system; they solely use these trusted P2PE payment terminals.

Eligibility Requirements:

• It does not apply to e-commerce channels or service providers but is relevant for brick-and-mortar and mail/telephone orders
• Only P2PE payment terminals may store, process, or transmit account information. All payment processing must occur through a vetted P2PE solution
• Merchants can only receive the account information on paper; no electronic retrieval option exists
• Merchants must adhere to the controls outlined in the P2PE Instruction Manual provided by the P2PE Solution Provider to ensure compliance

8. SAQ SPoC

SAQ SPoC is designed for merchants who utilize Commercial Off-The-Shelf (COTS) mobile devices and PCI-approved Secure Card Reader-PIN (SCRP) in a validated Software-based PIN Entry on COTS (SPoC) solution for card-present transactions. This SAQ is exclusively intended for merchants accepting face-to-face payments.

Eligibility Requirements:

• Processing payments exclusively through card-present channels, with cardholder data entered into the SPoC solution using PCI SSC-approved SCRP
• Solely using the SPoC environment to process account data
• No electronic receipt, transmission, or storage of account data
• Isolating the payment route from other networks
• Retaining account information offline, not online
• The SPoC Solution Provider is responsible for implementing the controls from the SPoC user handbook

9. SAQ D for Merchants

If a merchant does not qualify for any other AQ type but requires a self-assessment questionnaire, they should use SAQ D for merchants. This applies to merchants who:

• Handle credit card processing independently
• Avoid using a P2PE (point-to-point encryption) solution
• Electronically store credit card data
• SAQ D is commonly used in merchant situations such as, but not limited to - online retailers who accept credit card information on their site and companies that electronically store credit card information

10. SAQ D for Service Providers

Any service provider approved by a payment brand for the self-assessment questionnaire and who stores credit card data must adhere to SAQ D for Service Providers. This implies that service providers processing fewer than 300,000 card transactions have the option to file a Report on Compliance (ROC) or use SAQ D. However, those processing more transactions must report their compliance in detail.

Choose Accorian For Your PCI DSS Compliance

Accorian holds the prestigious distinction of having a team of highly Qualified PCI QSAs (Qualified Security Assessors) specializing in assessing PCI compliance, particularly emphasizing network infrastructure. We are also CREST accredited and an ASV (Approved Scan Vendor). Our PCI accreditations underline our expertise and credibility in cybersecurity and PCI DSS compliance.