Get ready for an insight dedicated to the latest PCI DSS SAQ versions. Following our introduction about this topic, it's now time to take a closer look at the types of Questionnaires and the number of questions related to each one of them.

SAQ 3.0: Types and questions to answer

Why is it important to fill out the right SAQ?

The Payment Brands require all entities, including merchants, that store, process and/or transmit payment card data to validate their PCI Compliance annually. Merchants do not have a direct relationship with the Payment Brands and therefore the Payment Brands require their Acquiring Banks to include in their compliance programmes actions meant to ensure that Merchants operate in a secure manner, as regulated by the SSC (Security Standard Council).

Payment Brands might apply financial fees to Acquiring Banks for working with non-compliant Merchants, and a similar mechanism is applied to the business relationship in place between Acquiring Banks and the Merchants.

A little bit of history

Ten years ago, each of the main payment brands (Visa, MasterCard, American Express, Discover and JCB) nominated a representative to collaborate with a new organisation called the Payment Card Industry Security Standards Council (SSC).

At the time, each of the Payment Brands maintained their own data security standards and the Council’s role was to unify these separate standards into a single standard known as the Payment Card Industry Data Security Standard. Released in 2004, PCI DSS version 1.0 established six (6) primary goals, which were broken down into a set of twelve (12) requirements.

What has changed since then?

Since its introduction a decade ago, the security standard has actually changed very little retaining the same goals, requirements and many of the original controls required to comply with it; each release tended to provide greater clarity about the intention of the requirement rather than introducing something new.

Originally, the compliance followed a two-year development life-cycle, limiting the release of changes to the standard to a two-year period. However, in 2010 based upon feedbacks and concerns about ‘constantly moving goal posts, the Council moved from a two-year to a three-year development life-cycle.

Released at the end of 2013, PCI DSS version 3.0 did introduce more changes than version 2.0, however the core goals and requirements remain the same.

ith the release of a new version, the Council allows organisations adequate time to transition from version 2.0 to PCI DSS 3.0; organisations may validate compliance against version 2.0 until 31st December 2014, though organisations may opt to validate compliance against version 3.0. From the 1st January 2015, version 3.0 will become the only active version.

Unlike previous revision, version 3.0 does introduce new sub-requirements that previously did not exist. Whenever new sub-requirements are introduced, the Council provides a period of time for organisations to meet the new requirements.

In April 2015, the PCI Council has released a new version - PCI DSS 3.1 - that brings a few key changes to the Standard's requirements and questionnaries.

Who should fill out a SAQ?

Service Providers, and any other organisation eligible for the PCI Compliance programme, processing large volumes of transactions, must validate compliance by passing an Audit on Compliance with a QSA, submitting a Report on Compliance (RoC) and an Attestation of Compliance (AoC) to the card schemes.

This is typically applied to Merchants, where the transactions volume is relevant, and/or specifically required by the Acquiring Banks as the consequence of the previously mentioned compliance programme. Smaller Merchants and Service Providers may evaluate their own compliance by completing and submitting one of the Self-Assessment Questionnaires along with an AoC.


Where a Merchant has multiple acceptance channels, such as using standalone PDQ machines (B) and Virtual Terminals (C-VT), the Merchant should complete questionnaire D; marking any requirements that are not applicable and providing a justification. For example, Merchants that do not store payment card data would need to mark most of Requirement 3, which relates to the encryption of data at rest, as not applicable as no data is stored.

About Advantio

Advantio's team members are PCI Compliance experts and as a trusted advisor we can assist your organisation to achieving and maintaining compliance.

Our Qualified Security Assessors (QSAs) are capable of leading the process towards a compliant status from start to finish; from the GAP analysis to the communication of your compliance to your acquirer and the payment brands

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA