If your company processes credit or debit card payments, you likely need to comply with the Payment Card Industry (PCI) Data Security Standards (DSS). The Security Standards Council (SSC), headed by the five Founding Members (Visa, Mastercard, Discover, American Express, and JCB International), enforces compliance by requiring eligible companies to submit annual documentation verifying their implementation of PCI controls. The most basic of these is the Self Assessment Questionnaire (SAQ)—read on to learn about the different PCI DSS SAQ types.
Breaking Down the PCI 3.2 SAQ Types for All Companies
The SSC provides a list of all SAQ variants, with links to corresponding forms available for free download from the SSC document library (pending agreement to licensing conditions). There are nine total PCI compliance SAQ types, which fall into three primary categories of applicability:
- Two PCI SAQ types applicable to e-commerce channels
- Five PCI SAQ types for traditional (non-e-commerce) channels
- Two PCI SAQ types for all other merchants and service providers
After exploring each SAQ type, we’ll provide additional information about the required PCI compliance documentation and implementation of DSS Requirements.
PCI SAQ Types Applicable to e-Commerce Channels
The first two PCI SAQ types provided by the SSC apply primarily to e-commerce channels:
- SAQ-A – Applies to all merchants who utilize “card not present” solutions such as e-commerce or mail orders and have outsourced all cardholder data (CHD) functions to compliant third parties, with no CHD processing on the merchant’s systems or premises.
- SAQ-A-EP – Applies to all e-commerce merchants who have outsourced all payment processing to compliant third parties and own or operate a website with no direct receipt or processing of CHD and no processing thereof on the merchant’s systems or premises.
Note that SAQ-A-EP is the only SAQ variant that applies exclusively to e-commerce channels. On the other hand, the SAQ-A variant is more flexible, applying across all channels except for face-to-face channels.
PCI SAQ Types Not Applicable e-Commerce Channels
The next five PCI SAQ types provided by the SSC apply to channels that are not e-commerce:
- SAQ-B – Applies to all traditional (non-e-commerce) merchants who exclusively use:
- Imprint or similar payment processing machines with no electronic CHD storage
- Standalone dial-out or similar payment terminals with no electronic CHD storage
- SAQ-B-IP – Applies to all traditional (non-e-commerce) merchants who exclusively use standalone and PCI PIN Transaction Security (PTS) compliant payment terminals that have an IP connection to the payment processor but no electronic storage of CHD.
- SAQ-C-VT – Applies to all traditional (non-e-commerce) merchants who exclusively enter their transactions manually and one at a time into internet-based virtual solutions provided by PCI compliant third parties, with no independent electronic CHD storage.
- SAQ-C – Applies to all traditional (non-e-commerce) merchants who use payment application systems connected to the Internet but without electronic CHD storage.
- SAQ-P2PE-HW – Applies to all traditional (non-e-commerce) merchants who exclusively use hardware payment terminals managed through a PCI Point to Point Encryption (P2PE) validated and listed by the SSC, with no electronic CHD storage.
Note that SAQ applicability relates to channels. Companies that operate e-commerce and traditional channels may need to report on them separately, with a distinct SAQ for each one, respectively.
PCI SAQ Types Applicable to All Other Company Types
The final two PCI SAQ types provided by the SSC apply to all other DSS-eligible companies:
- SAQ-D-M – Applies to all other eligible merchants (including both e-commerce and traditional channels) not covered by any of the other PCI DSS SAQ types listed above.
- SAQ-D-SP – Applies to all eligible service providers designated as needing PCI DSS compliance by a representative of the SSC but aren’t covered by the SAQ types above.
Note that SAQ-D-SP is the only SAQ type available for companies identified as service providers rather than merchants. All other PCI SAQ types apply specifically to merchants, not providers.
Compliance Considerations Beyond PCI DSS SAQ Types
The PCI SAQ types listed above are not the only compliance reporting documentation companies may need to submit. In total, there are three primary report types (including SAQs) that may apply:
- Self Assessment Questionnaire – All PCI SAQ types are identical in format and aim, requesting straightforward yes or no answers about all DSS Requirements (see below).
- Attestation of Compliance – Companies above the lowest merchant level (see below) need to submit an AOC form, verified by an external third party, to confirm SAQ answers.
- Report on Compliance – Companies at the highest level (see below) need to undergo rigorous, long-term analysis of their DSS controls, yielding third-party ROC submission.
For the ROC form, in particular, companies need to contract the services of an official Qualified Security Assessor (QSA), vetted by the PCI SSC. RSI Security carries QSA status and can assist in any element of the PCI compliance process—implementation through verification.
How Merchant Level Impacts the PCI Documentation Needed
A company’s PCI Merchant level is defined by the individual SSC stakeholder whose cards it primarily processes. For example, Visa’s PCI compliance guide categorizes merchants into their Levels based on the following criteria:
- Merchant Level 1 – Merchants who process over six million annual transactions across all sales channels (e-commerce and traditional) submit ROC and AOC forms annually.
- Merchant Level 2 – Merchants who process one to six million annual transactions across all channels (e-commerce and traditional) submit SAQ and AOC forms annually.
- Merchant Level 3 – Merchants who process 20 thousand to one million e-commerce transactions annually (only e-commerce channels) submit SAQ and AOC forms annually.
- Merchant Level 4 – Merchants who process less than 20 thousand annual e-commerce transactions or one million transactions across all channels submit SAQ forms annually.
Individual stakeholders within the SSC Founding Members define merchant Levels differently, but the differences are negligible. Regardless of Level, documentation must account for all controls.
PCI DSS Requirements Reported Across All Documentation
The last critical consideration about SAQs and PCI documentation more broadly is what each form reports. Companies submit SAQs, AOCs, or ROCs to verify their implementation of:
- PCI DSS Requirement 1 – Install and maintain firewall configurations to establish a secure perimeter around systems, preventing improper access to CHD or sensitive data.
- PCI DSS Requirement 2 – Remove all default security settings and configurations supplied by vendors and replace them with more robust, company-generated settings.
- PCI DSS Requirement 3 – Protect all CHD and sensitive data in storage, both within company systems and in external storage, hosting, or data processing environments.
- PCI DSS Requirement 4 – Protect all CHD and sensitive data transmitted over open, public, or otherwise unsecured networks with strong encryption and minimal traffic.
- PCI DSS Requirement 5 – Install and maintain updates to antivirus and antimalware programs on all systems containing or otherwise connected to CHD and sensitive data.
- PCI DSS Requirement 6 – Develop secure systems and applications for safe handling, storage, and processing of CHD and sensitive data, as well as maintain system and app updates.
- PCI DSS Requirement 7 – Restrict all access to CHD and sensitive data by individuals’ specific “business need to know” and deny all other access unless otherwise authorized.
- PCI DSS Requirement 8 – Authenticate the identity of all individuals accessing or using CHD and sensitive data through rigorous methods such as multi-factor authentication.
- PCI DSS Requirement 9 – Restrict proximal access with physical or logical barriers for devices, workstations, and spaces containing or connected to CHD and sensitive data.
- PCI DSS Requirement 10 – Monitor all access to CHD and sensitive data, tracking user behavior, and test network security features at regular intervals and after special events.
- PCI DSS Requirement 11 – Perform assessments at regular intervals on all security systems containing, connected to, or otherwise related to CHD and sensitive data.
- PCI DSS Requirement 12 – Develop, adjust, distribute, and maintain a formalized security policy addressing explicit roles and responsibilities for all internal personnel.
Rethink Your PCI DSS Implementation and Compliance
Since most companies process credit card payments, PCI DSS compliance is widely applicable. And, since so many different types of companies need to comply, there are many different PCI DSS SAQ types to accommodate their wide-ranging payment technologies.