SAQs (Self-Assessment Questionnaires) are one way that merchants can validate their PCI DSS compliance to acquiring banks and to the PCI Security Standard Council (PCI SSC). Incredibly important in terms of how you keep cardholder data safe, there are eight SAQs to choose from: A, A-EP, B, B-IP, C, C-VT, D, and P2PE.

Having talked you through six of the existing Self-Assessment Questionnaires so far, next up is PCI DSS SAQ D.

This Self-Assessment Questionnaire happens to be the largest that an organisation can possibly take (all other SAQs' questions are taken from this questionnaire) and so it is incredibly important that you're absolutely certain that you should be taking it. You don't want to spend hours filling it out now, only to realise that it's the wrong one later on!

Who should take the Self-Assessment Questionnaire D?

This particular questionnaire applies to any and all types of merchants, so the easiest way to tell if you should be taking it (and the first question you should ask yourself before doing so) is whether or not you store cardholder data digitally.

This may include storing data online in relation to e-commerce transactions or if you are a telemarketing company that handles cardholder data over the phone, and then those phone calls are stored and saved (e.g for training purposes or quality check).

Another question you should ask yourself is whether or not the other SAQs apply to you. SAQs have very specific criteria (for example, SAQ A is for merchants that outsource cardholder data processing functions and SAQ B is for those that transmit data via a dial-up connection) and so if your organisation doesn't fit the criteria of any other SAQ questionnaire, then you should take SAQ D. Questionnaire D specifically states that "[..] is for merchants who do not meet the criteria for any other SAQ type".

This list of merchant criteria provides some additional pointers:

  • E-commerce merchants who accept cardholder data on their website;
  • Merchants with electronic storage of cardholder data;
  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type;
  • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.

The other key reason for taking this questionnaire, is that you are a Service Provider (defined as any company that provides a service related to payment cards, e.g if your organisation works with merchants or even banks). Service Providers do not need to look at the criteria of the other SAQs as they have to take SAQ D by default; there is no other SAQ for them.

What sorts of questions are in this Questionnaire?

When we said that Self-Assessment Questionnaire D is one huge document, we really weren't kidding!

Overall, SAQ D has 263 questions for you to answer, which is an absolutely phenomenal amount. Though, the questions are split up and sectioned off according to the 12 different PCI requirements, which makes them a little bit easier to get through - and we should also note that the questions are exactly the same for merchants and service providers.

Moreover, each question can be answered with "No", "Yes", "Yes with CCW" (Compensating Control Worksheet) or N/A (Not Applicable) and, if you answer "No" to any of the questions, the questionnaire also offers information on how to fix that particular problem and make your organisation compliant.

Here are some examples of the questions that you can find within the questionnaire:

  • Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN?
  • The full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored after authorization?
  • Is there a process to identify security vulnerabilities, including the following: Using reputable outside sources for vulnerability information? Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities?
  • Is documented approval by authorized parties required, specifying required privileges?
  • Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)?

Does your organisation store cardholder data electronically?

With so many questions featured in SAQ D, it may seem like a difficult, impossible task. But with the help of a QSA (Qualified Security Assessor) that is an expert in PCI DSS compliance, finding out what the right questionnaire is for your company and achieving PCI compliance can become a stress-free process.

Irmantas Brazaitis

Written by Irmantas Brazaitis

Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.