In June 2018 the PCI Security Standards Council (SSC) released version 3.2.1 of the Self-Assessment Questionnaires (SAQs). Here, we take a look at the changes introduced and what these mean for you. We will also help you choose the right SAQ for PCI DSS compliance validation for your needs.

If we compare v3.2.1 to v3.2, the only real change that was introduced was the addition to PCI DSS requirement 6.2 (system component and software security patching) to SAQ A. This tells us that the PCI SSC is paying more attention and is increasing the requirements even for e-commerce merchants using URL Redirect and/or iFrame methods (Ref. Information Supplement: Best Practices for Securing E-commerce in Sections 2.1 and 2.2).

Choosing the right SAQ

There are 8 SAQs available for merchants and one for service providers. This doesn’t make it a trivial task to choose the right one, so let’s try to simplify this with step-by-step instructions. First, let’s start with an overview of all the types of SAQs.

SAQ A & SAQ A-EPSAQ B & B-IPSAQ C & C-VTSAQ P2PE & SAQ DIf you would like to get a PDF version of this table to view and print, click here.

It’s a complex table with many options that take time to comprehend (If you feel comfortable reading and understanding it already, please contact our HR team as we might want to hire you immediately!).

Next, we’ll provide you with some tips and guidance on how to manage the table and its outputs systematically.

If you are a service provider and you are eligible for SAQ validation (if in doubt check with the payment brands and/or your QSA), then it’s simple as you can only use SAQ D for service providers. Remember that an entity can be a merchant and a service provider, and it is not uncommon to see a merchant providing transaction processing services to other merchants, making the same entity a service provider too.

If you are a merchant and you are eligible for SAQ validation (always check with your acquirer), you should identify the applicable SAQ type separately for each card payment acceptance channel you have; card-present (brick-and-mortar), MOTO (Mail Order/Telephone Order) and/or e-commerce.

The first question you need to answer is if you store any electronic cardholder data, including any legacy data. If the answer is yes, you don’t need to waste your time looking at different SAQ types, it will be SAQ D. The next step is to review the business need to maintain electronic cardholder data storage. SAQ D is the most complex one, and if cardholder data storage can be avoided you may reduce your compliance efforts significantly by completing a different type of SAQ.

You should approach each card payment channel separately. Let’s start with e-commerce. If you accept e-commerce transactions you can only be eligible for SAQ A, SAQ A-EP or SAQ D. Read all eligibility criteria carefully to determine the applicable SAQ type. As a general rule, e-commerce merchants using URL Redirect and/or iFrame methods will be eligible for SAQ A. E-commerce merchants using Direct Post Method (DPM) and/or JavaScript Form will be eligible for SAQ A-EP. And e-commerce merchants using an API method or any other method will have to work with SAQ D (Ref. Information Supplement: Best Practices for Securing E-commerce Sections 2.1, 2.2, 2.3, 2.4 and 2.5).

For MOTO (Mail Order/Telephone Order) transactions you may be eligible for:

  • SAQ A (all cardholder data related functions are fully outsourced to a PCI DSS compliant service provider),
  • SAQ B (you use imprint or standalone, dial-out machines/terminals with no Internet connection),
  • SAQ B-IP (PTS approved devices with an Internet connection are used),
  • SAQ C (you use a payment application on a system with an Internet connection),
  • SAQ C-VT (you use a web browser based virtual terminal solution),
  • SAQ P2PE (transactions are accepted using a PCI SSC listed P2PE Solution),
  • SAQ D (if you’re not eligible for any other previous type of SAQ).

When it comes to card-present (brick-and-mortar merchant) acceptance channel, you have a choice of:

  • SAQ B (you use imprint or standalone, dial-out machines/terminals with no Internet connection),
  • SAQ B-IP (PTS approved devices with an Internet connection are used),
  • SAQ C (you use a payment application on a system with an Internet connection),
  • SAQ C-VT (you use a web browser based virtual terminal solution),
  • SAQ P2PE (transactions are accepted using a PCI SSC listed P2PE Solution),
  • SAQ D (if you’re not eligible for any other previous type of SAQ).

You have to meet all eligibility criteria for the SAQ type you’re aiming for and it may not be simple to achieve. Therefore, we recommend that you should seek guidance from your acquirer and/or QSA whenever in doubt. SAQs C and C-VT are especially tricky to interpret when it comes to the eligibility criteria for network segmentation. You should also not forget voice recordings that may contain cardholder data when accepting telephone payments. This immediately drops you down to SAQ D. Telephone payments are even trickier as you need to consider the technology you’re using, for example, Voice over IP using a company’s network may bring it into scope.

Once you have identified the SAQ types eligible for each of your card payment acceptance channels, you should always contact your acquirer to confirm if you need to complete separate SAQs for each channel. In our experience it is possible to reach an agreement with the acquirer for a merchant to fill-in an SAQ for each card payment acceptance channel, for example, SAQ A for e-commerce, SAQ P2PE for brick-and-mortar and SAQ C-VT for MOTO transactions. Completing these three SAQs is much easier than filling-in one SAQ D.

One more piece of advice we want to leave you with is always to complete and maintain your card data flow diagram(s) (PCI DSS requirement 1.1.3) and an inventory of system components that are in scope for PCI DSS validation (PCI DSS requirement 2.4). You will notice that SAQs A, A-EP (1.1.3 but not 2.4), B, B-IP, C, C-VT and P2PE do not have these requirements listed, but it is key information proving that you have performed the scoping in a right way.

Do you need help choosing the right SAQ and completing it?

To ensure that you are keeping cardholder data protected, get in touch with our cyber security experts. We will walk you through the journey of compliance, ensuring that nothing is missed.

Contact us

Irmantas Brazaitis

Written by Irmantas Brazaitis

PCI QSA and Information Security professional with a vast experience within payment card industry, I have got a sound experience in ATM security having worked for global payment service provider alongside the Fraud team, involved in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).

Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.