What is your SAQ Type?
/in Knowledge, Knowledge-homeWhat is your SAQ Type?
PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.
SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.
Table of Contents
5 Steps for PCI DSS SAQ Self-Assessment:
Select the SAQ type applicable to you.
Verify that the scope of your PCI DSS environment is accurate.
Self-assess if
your environment is compliant with PCI DSS requirements.
Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!
For e-commerce, these SAQ versions may apply:
Service Providers
SAQ D for Service Provider:
Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.
Merchants
SAQ A:
For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.
SAQ A-EP:
For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.
SAQ D for Merchant:
For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.
If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.