PCI Standards: Picking The Right PCI SAQ for your Business

There is a quote by FBI Director, Robert Mueller – “There are two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.”

By just being a little cautious, we can prevent data breaches from causing downstream damages. So, reflect upon whether your systems are safe from cyberattacks? To reduce the risks of compromised data of cardholders, it is important to be PCI DSS compliant and use PCI SAQ.

What is PCI SAQ?

Payment Card Industry Self-Assessment Questionnaire (PCI SAQ) is an authentication tool to understand that merchants and service providers who accept credit/debit card payments are compliant with respect to PCI DSS, through simple questionnaires. The statement after PCI SAQ compliance testifies that your company has complied with necessary security measures and the latest version of the PCI Data Security Standards to keep cardholders’ data safe in your business.

Which PCI SAQ is right for me?

There are different SAQs that member businesses can choose from. How you use card information and how you manage card data decides the SAQ your company should fill. Different SAQs are applicable to a specific payment scenario.

It is important to choose the right SAQ because a wrong SAQ can nullify your compliance efforts and throw your business into bigger risks and breaches.

Every business is different, so every assessment is also different. To know which of the SAQ forms to complete is a challenge for merchants. Although PCI DSS has set up the processes to simplify the assessments, but it may stand as a barrier to some merchants’ motivation to complete the assessment. Companies like QRC Solutions offer facilitated SAQ programs to simply and handle the process for you.

Once you know which SAQ is right, you can complete it without hassles. Here we will try to streamline this concern by discussing each type of SAQ.

Type of SAQ

Eligibility

Card Payment Acceptance Channels Number of Questions

SAQ A

Card-not-present, fully outsourced card holder data functions

Mail Orders, Phone orders and e-commerce i.e. Card-not-present-only channels

24

SAQ A-EP

Payment processing is partially outsourced by e-commerce retailers through third-party platforms.

Card-not-present-only channel i.e. only via e-commerce

192 questions

SAQ B

The merchants here use only Imprint machines and point-of-sale (POS) devices.

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order and with a physical shop

41 Questions

SAQ B-IP

The merchants here use only standalone PIN Transaction Security (PTS) devices approved payment terminals with an IP connection.

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order and with a physical shop

87 Questions Approximately

SAQ C

Merchants use payment applications systems that work through the internet

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order and with a physical shop

161 Questions

SAQ C-VT

Merchants who use web-connected Virtual Terminals

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order and with a physical shop

84 Questions

SAQ P2PE

Merchants who use only PCI P2PE listed hardware payment terminals.

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order and with a physical shop

34 Questions

SAQ D Merchant and Service Provider

All other merchants and service providers who are SAQ eligible

Both Card-present and Card-not-present channels used: i.e. Mail order / Telephone order, with a physical shop, and those who use e-commerce

328 for Merchants and 370 for service providers

SAQ A

Applies to you when:

  1. Your business operates with “card-not-present” transactions, e.g. eCommerce businesses and mail order/telephone order businesses.
  2. Your company does not handle cardholder data directly. You have outsourced your card handling process completely to a PCI DSS validated by a third party.
  3. The businesses that do not store, process, or transmit cardholder data in systems or premises electronically.

SAQ A-EP

The e-commerce merchants who have moderately outsourced their e-commerce payment channel to PCI-validated third parties qualify for this. They do not electronically store, process, or transmit cardholder data in their business environment.

Applies to you when:

  1. You accept only e-commerce transactions.
  2. Process all cardholder data through an outsourced PCI DSS authorized by the third party.
  3. Your e-commerce websites do not receive cardholder data but control how cardholder data is redirected to a validated third-party payment system. This is a chief argument to be considered when deciding between SAQ A and SAQ A-EP
  4. You have a website hosted by a validated third-party provider.

SAQ B

SAQ B is for merchants who are processing customers’ card information through imprint machines or standalone, dial-out terminals. They can either be card-present, or card-not-present merchants. They do not store customers’ card information on any computer or system.

Applies to you when:

  1. You use only an imprint machine and/or standalone, dial-out terminals via phone line to get customers’ card information. 
  2. The standalone dial-out terminals are unrelated to any systems in your company.
  3. The standalone, dial-out terminals are not connected over an internet connection;
  4. Your business is not transmitting cardholder data over an internal network or Internet.

SAQ B-IP

This is for merchants who don’t store card data in electronic format. They use IP-connected point-of-interaction (POI) devices. They handle either card-present or card-not-present transactions. They do not store card data on any computer system.

Applies to you when:

  • Your company uses only standalone, PTS-approved IP-connected POI devices to take customers’ card information in your payment processor.
  • Your standalone IP-connected POI devices are listed as authorized, in the PTS POI program
  • Your standalone IP-connected POI is not connected to any systems within your business.

SAQ C

SAQ C is for merchants whose payment applications and POS are connected to the Internet. This can include card-present or card-not-present merchants.

Applies to you when:

  • The business’s payment application and Internet connection are on the same LAN and device.
  • The payment application is not connected to any other systems of your business.
  • The POS is not  for any other locations and the LAN is also for one location only
  • Remember SAQ C does not apply to e-commerce merchants.

SAQ C-VT

This is for merchants processing card information only through standalone virtual payment terminals on a personal computer connected to the Internet.

Applies to you when:

  • The payment processing is done only through a virtual payment terminal which is called up  by an Internet-connected web browser
  • Your virtual payment terminal solution is provided by a PCI DSS authenticated third-party
  • Your company uses a virtual payment terminal solution through a computer that is separated in a single location, and is not connected to other locations or systems within your environment 

SAQ P2PE

The P2PE SAQ is applicable to merchants who use a P2PE solution for their payment transactions. This reduces the number of SAQ questions to be filled. (SAQ D requires 329 questions while SAQ P2PE has only 33 questions making compliance easier)

Applies to you when:

  • All payments are processed through a validated PCI P2PE solution ( approved and listed by the PCI)
  • When you store, process or transmit account data only through Point of Interaction (POI) devices validated with PCI-listed P2PE solution
  • When you have implemented controls according to the P2PE Instruction Manual by the P2PE Solution Provider.

SAQ C-VT

This is for merchants who process cardholder data only through isolated virtual payment terminals. This may be on a personal computer on the Internet.

Applies to you when:

  • You use only a virtual payment terminal accessed by an Internet-connected web browser for payment processing.
  • Your business uses a virtual payment terminal solution through an authorized PCI DSS provider
  • You use a PCI DSS-compliant virtual payment terminal solution on a computer that is located remotely in a location not connected to other locations or systems in your business.

SAQ D

SAQ D is for those merchants who don’t meet the criteria for any other SAQ type. Those who store card data electronically and do not use a P2PE certified POS system are covered under this. E.g. Merchants not storing cardholder data electronically, but not meeting criteria of any SAQ type

Service providers qualify for SAQ D, because an institution can both be a merchant and service provider.

QRC is India renowned PCI DSS compliance Services Company spreading across its presence in over 25 countries. Having managed the journey of achieving compliance to maintaining compliance requirements of a company through its lifetime, QRC offers solutions and services to small and big businesses for the Self-Assessment Questionnaire (SAQ) remediation programme also.

Consult the experts today, they will make the process simple and handle the compliance for you. https://www.qrcsolutionz.com/about-us

16th November, 2021 | Risk Management | Posted by QRC Assurance

Get Free Consultation