Companies that deal with cardholder data must be compliant with the the Payment Card Industry Data Security Standard (PCI DSS) and fill out the right Self-Assessment Questionnaire (PCI DSS SAQ). Filling out a SAQ is one of the ways Merchants can prove their compliance to their Acquiring Banks and, consequently, to the five founders of the PCI SSC (American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.).

These questionnaires allow you to self-evaluate your company's security status and it also gives you a chance to really dig into and think about your company's security practices (as well as what needs to be done to improve them).

However, there are a total of eight different questionnaires (A, A-EP, B, B-IP, C, C-VT, D, and P2PE) and only one of these will apply to your business.

As explained here, it's incredibly important that you fill out the correct questionnaire for your business as failing to be compliant can result in fines or, even worse, breaches where malicious attackers are able to gain access to the cardholder data that you store, process or transmit.

So, below is a helpful set of information allowing you to figure out if PCI DSS SAQ C is the right one for you.

SAQ C is a long questionnaire. Is it the right one for your organisation?

Self-Assessment Questionnaire C is a 140 questions long paper, so make sure it’s the right one for you before filling one out. You probably don't want to spend time answering all of those questions only to realise that you've filled out the incorrect one.

First and foremost, you should ask yourself whether or not you store any card data in electronic form (this may even include recorded phone calls with cardholder data) because if you do, that means that you are not eligible for this particular SAQ. If you do store card data electronically then you should look at SAQ D instead.

Additionally, SAQ C can only be completed if your company deals with cardholder data via mail or telephone orders (card not present) or if it has point-of-sale terminals (card present), if your business is in ecommerce then you are ineligible to take the questionnaire.

Here is the full list of criteria for taking SAQ C:

  • Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
  • The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
  • The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
  • Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically;
  • Your company does not store cardholder data in electronic format.

It's also important to note that the PCI council notes that "this shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria".

Unfortunately the PCI DSS doesn't offer any guidelines on what a "small" merchant is but a good example is a small shop with just one or two point of sale terminals. If you aren't a small merchant that can answer 'yes' to all of the things on that SAQ C criteria list, this SAQ may not be for you.

What Sort of Questions Are Featured in Self-Assessment Questionnaire C?

While it may seem daunting and impossible to answer each of the 140 questions present in this questionnaire, they are at least made easier to get through as each of the questions has its own section, corresponding with all 12 of the PCI DSS' requirements (e.g maintaining a policy that addresses information security for all personnel, developing and maintaining secure systems and applications, and regularly testing security systems and processes).

Also aiding questionnaire takers somewhat is that the questions only have four responses: "Yes", "Yes with CCW" (Compensating Control Worksheet), "No", or "N/A". And on top of this, each question comes with a list of 'expected testing'; actionable things you can do (e.g review policies, interview personnel, and observe processes) making it easy enough to remedy any issues.

Here are some examples of questions:

  • Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN?
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks?
  • Is strict control maintained over the storage and accessibility of media?
  • Are internal and external scans, and rescans as needed, performed after any significant change?
  • Do security policy and procedures clearly define information security responsibilities for all personnel?

Get Support From a PCI DSS Compliance Expert

As you can see, a lot of thought and time needs to go into filling an SAQ out and becoming PCI compliant, but working with a QSA (Qualified Security Assessor) like Advantio's team can help to ease the burden. Our trusted advisors can guide you and your company on the path to PCI compliance, making it a smooth and easy process.

Irmantas Brazaitis

Written by Irmantas Brazaitis

Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.