Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Understanding which Self Assessment Questionnaire (SAQ) is right for your business is a vital but complex task. Here, we explain each of the 9 possible SAQs to help you make the right decision.
Before we dive into the different SAQs available, let’s take a step back and look at the background of PCI DSS briefly and whether you may actually require an ROC instead of SAQ:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards developed by the major credit card issuers in the world - Visa, MasterCard, American Express, Discover and JCB. It is administered by the PCI Security Standards Council and serves organizations who work with and are associated with payment cards. These are merchants, financial institutions, point of sale vendors ect.
It's important to note that depending on the credit card issuer (VISA, MasterCard, JCB, Amex, Diner etc) scheme a merchant avails of, an SAQ alone is not enough. A Report on Compliance (ROC) may have to be completed. This is a formal audit performed by a Qualified Security Assessor (QSA). The ROC is produced during an onsite PCI DSS assessment and covers all processes related to credit card collection, storage, transmission, destruction and more. Because of the complexity and importance of the audit, we will cover it in a standalone blog post soon.
However, smaller merchants and service providers are not required to undergo a full audit on compliance with a QSA and sumit a ROC. Instead, they have to fill out a Self Assessment Questionnaire (SAQ). It is a self-validation tool meant to assist in the evaluation of PCI DSS compliance levels. The PCI Council have developed multiple versions of SAQs for different scenarios each containing questions relevant to a specific type of merchant environment.
Regardless of what you have to complete (SAQ or ROC) the same PCI DSS requirements apply. The main difference is that SAQs can be autonomously completed while ROCs are reported by QSAs upon completion of a full PCI DSS audit.
There are a total of 9 SAQs and determining which one is appropriate for your company might be challenging. Generally, it will depend on the way you process credit cards and handle cardholder data. Note, that the PCI Council frequently releases updates to the requirements and for now, the latest update (PCI DSS version 3.2.1) was published in May 2018. You can find the document library regarding SAQs on the official PCI Council website.
As stated above, you must choose the SAQ that is right for your processing environment. All SAQs except SAQ D, have a common factor, none of them allow for electronic storage of cardholder data. Here is the breakdown of all SAQs and explanation on who should complete which one:
Depending on the complexity of the processing environment, SAQs contain different number of questions. We have counted them for you, so you know what to expect:
Any business owner today cares about security. This doesn’t make them a security expert. The language used in the different questionnaires, choosing the correct one and knowing how to complete them is challenging. Often this challenge is an addition to an already packed day-to-day. If you are a business owner who needs to become compliant in a secure yet efficient manner, we can help. The ZeroRisk PCI Portal through a user friendly interface and simple questions selects the right SAQ with you and guides you through the completion without you having to become a security expert in the process!
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA