PCI DSS (Payment Card Industry Data Security Standard) v4.0.1 introduced updated Self-Assessment Questionnaires (SAQs) to help businesses assess their compliance with the PCI DSS requirements. Each SAQ is tailored to specific payment card processing environments. Here's a summary of the various SAQs under PCI DSS v4.0.1:
1. SAQ A: Card-Not-Present Merchants (e-commerce or mail/telephone order)
- Who it’s for: Merchants who have fully outsourced their cardholder data functions to third-party service providers, without any electronic storage, processing, or transmission of cardholder data on their systems or premises.
- Requirements: Limited to 22 requirements.
- Key Controls:No storage, processing, or transmission of cardholder data.All cardholder data is handled by a PCI-compliant third-party provider.
2. SAQ A-EP: E-commerce Merchants Using a Third-Party Service Provider for Card Processing
- Who it’s for: E-commerce merchants that outsource payment processing to third-party providers but manage their own website and do not directly receive cardholder data.
- Requirements: 193 requirements.
- Key Controls:Merchants maintain responsibility for securing the website and its integration with the payment processor.Focus on securing the web server and ensuring it is not compromised.
3. SAQ B: Imprint-Only or Standalone Dial-Out Terminal Merchants
- Who it’s for: Merchants using standalone, non-connected payment terminals (dial-out terminals) or card imprint machines.
- Requirements: 41 requirements.
- Key Controls:No connection to the internet or payment systems.The environment has minimal technical infrastructure to protect.
4. SAQ B-IP: Merchants Using Standalone Payment Terminals with an IP Connection
- Who it’s for: Merchants with standalone payment terminals connected to the internet (IP) but with no other electronic cardholder data storage or processing.
- Requirements: 82 requirements.
- Key Controls:Terminals must be isolated and segmented from other systems.Cardholder data is processed using secure payment devices and encrypted communications.
5. SAQ C-VT: Merchants Using Web-Based Virtual Payment Terminals
- Who it’s for: Merchants using a virtual terminal (accessed via a web browser) to manually enter payment card data, without any electronic storage of cardholder data.
- Requirements: 72 requirements.
- Key Controls:Secure browser configurations.The terminal must not be connected to other systems that store or process cardholder data.
6. SAQ C: Merchants with Payment Applications Connected to the Internet
- Who it’s for: Merchants that use payment applications connected to the internet but do not store cardholder data electronically.
- Requirements: 160 requirements.
- Key Controls:Secure payment application and network environment.Focus on securing the entire payment environment and network segmentation.
7. SAQ D for Merchants: All Other Merchants Not Covered by SAQs A–C
- Who it’s for: Merchants that store, process, or transmit cardholder data and do not meet the requirements of other SAQs.
- Requirements: 329 requirements.
- Key Controls:Broad and comprehensive coverage, as it applies to merchants with a more complex payment environment.Compliance with all PCI DSS requirements.
8. SAQ D for Service Providers: All Service Providers Defined by PCI DSS
- Who it’s for: Service providers that store, process, or transmit cardholder data on behalf of other businesses.
- Requirements: 360 requirements.
- Key Controls:Comprehensive coverage of all PCI DSS requirements for service providers.Focus on securing environments where service providers handle data on behalf of multiple clients.
9. SAQ P2PE: Merchants Using PCI-Validated Point-to-Point Encryption (P2PE) Solutions
- Who it’s for: Merchants using PCI-validated P2PE solutions that encrypt cardholder data from the point of interaction (e.g., card reader) and ensure it is decrypted only by the payment processor.
- Requirements: 33 requirements.
- Key Controls:Use of validated P2PE solution eliminates the need for the merchant to manage encryption keys or decrypt data.Simplified requirements due to encryption.
Key Changes in PCI DSS v4.0.1 SAQs:
- Expanded Requirements: Most SAQs have more requirements compared to previous versions to align with the new structure of PCI DSS v4.0.
- Customized Approach: SAQs now support organizations adopting a customized approach for their security controls, but this requires additional documentation and validation.
- Increased Focus on Multi-Factor Authentication (MFA): MFA is emphasized across most SAQs for access to systems handling cardholder data.
These SAQs allow organizations to assess their specific environments and ensure compliance without going through the full PCI DSS assessment, which is typically required for large merchants and service providers.
