If your organization deals with any type of cardholder data, then you’ve most likely heard of Self-Assessment Questionnaires.
A Self-Assessment Questionnaire (SAQ) is a formal report of an organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). It evaluates whether a merchant or service provider has taken the necessary measures to secure cardholder data and documents its overall security posture.
The process of completing an SAQ is different for every organization. Even before the assessment starts, there are nine different types of SAQs to choose from, depending on your specific process payment method and cardholder environment.
Below, we cover each SAQ type, what each one entails, and how to identify the most applicable SAQ for your environment.
The Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaire (SAQ) is a validation tool designed to help merchants and service providers evaluate and report their PCI DSS compliance.
Each SAQ starts with a “Before you Begin” section that outlines the type of cardholder environment covered by the specific questionnaire. This is followed by a series of “yes” or ”no” questions about all aspects of an organization's payment card processing activities and security controls, encompassing network security, system configuration, access control, and the like.
SAQs also include an Attestation of Compliance (AOC), which serves as a formal declaration of the organization’s compliance with PCI DSS requirements.
In summary, the entire SAQ includes three sections:
SAQs are available in an online format or as a downloadable PDF.
Not every organization is eligible for self-assessment. Only merchants and service providers with lower transaction volumes — less than 6 million annual payment card transactions for merchants, and less than 300,000 annual payment card transactions for service providers — can submit an SAQ to demonstrate PCI DSS compliance.
Organizations with a higher number of annual transactions are required to submit a more in-depth Report on Compliance (ROC).
Read more about the different Merchant and Service Provider Levels as outlined by PCI DSS.
For more information, organizations should also consult with their acquiring bank or payment brand to determine whether they are eligible to submit an SAQ and which SAQ is appropriate for their cardholder environment.
There are nine types of PCI DSS SAQs — eight for merchants and one for service providers.* Determining which one is most appropriate for your organization depends on two factors: Whether you’re a merchant or service provider, and how you process card payments.
See the following explanations to determine which SAQ type is best for your organization:
Card-not-present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on merchant’s systems or premises. Applicable only to ecommerce channels.
Merchants using only: Imprint machines with no electronic cardholder data storage and/or standalone dial-out terminals with no electronic cardholder data storage. Not applicable to ecommerce channels.
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to ecommerce channels.
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to ecommerce channels.
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to ecommerce channels.
Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE (point-to-point encryption) solution, with no electronic cardholder data storage. Not applicable to ecommerce merchants.
SAQ D for Merchants: All merchants who are not included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.