A Comprehensive Guide to PCI DSS SAQ Types
PCI DSS Self-Assessment Questionnaires (SAQs) are tools that help merchants and service providers assess their compliance with the Payment Card Industry Data Security Standard (PCI DSS). SAQs were designed for small and medium-sized merchants and service providers. Merchants in levels 2-4 (with fewer than 6 million transactions annually) and level 2 service providers (with fewer than 300,000 transactions annually) can complete an SAQ instead of having a Report on Compliance (RoC) completed by a Qualified Security Assessor (QSA). SAQs include a set of yes/no questions aligned with PCI DSS requirements and may also include an Attestation of Compliance (AOC) that the organization signs. There are multiple SAQ types, all of which can be found in the PCI Document Library. The following is a breakdown of the different types of SAQs and the business operations they are designed for.
An Overview of the PCI DSS
PCI DSS is a global cybersecurity standard for businesses that handle branded credit cards from major credit card networks like Visa, Mastercard, American Express, and Discover. The standard is administered by the PCI Security Standards Council (PCI SSC), which these major card brands founded. The purpose of PCI DSS is to protect cardholder data from unauthorized access and potential misuse, ultimately to deter credit card-based fraud and help merchants and service providers prevent and respond to data breaches. Any organization that accepts, processes, stores, or transmits cardholder data must comply with PCI DSS.
PCI DSS SAQ A
SAQ A is for merchants that outsource their electronic cardholder data to third parties, storing no data on premises and only retaining paper reports or receipts with account data. Merchants that use SAQ A may have a website that redirects consumers to a third-party payment processor for the purchase. They can only accept card-not-present transactions, such as e-commerce and mail/telephone orders. Key requirements for SAQ A include:
- Securing the Merchant Web Environment: The webpage that loads or redirects to the hosted payment form must be served over HTTPS and be free from vulnerabilities that could compromise data.
- No Access to Cardholder Data: The merchant must not have access to or control of the payment page (including iframe code) where cardholder data is entered.
- Ensuring Third-party Compliance: Merchants must verify and document that all service providers handling cardholder data on their behalf are PCI DSS compliant.
- No Electronic Storage of Cardholder Data: The environment must not store cardholder data electronically at any point.
PCI DSS SAQ A-EP
SAQ A-EP is for e-commerce merchants with websites that don’t receive account data but do have some control over the security of the payment page, such as through redirects or an iframe. The merchant doesn’t store, process, or transmit cardholder data on its systems or premises. Requirements found in SAQ A-EP that are not in SAQ A include:
- System Hardening and Secure Configuration: Developing and maintaining secure configurations for all system components in scope.
- Firewalls and Network Segmentation: Implementing firewalls to protect web-facing systems and restricting inbound and outbound traffic to only necessary protocols.
- Vulnerability Management: Implementing a process for identifying, ranking, and patching vulnerabilities. Quarterly vulnerability scans by an Approved Scanning Vendor are required.
PCI DSS SAQ B
SAQ B is for brick-and-mortar or mail/telephone order merchants that use only an imprint machine and/or use only standalone, dial-out terminals. The dial-out terminals are not connected to the internet and are connected via a phone line to the merchant processor. The merchant does not store account data in an electronic format. Key requirements for SAQ B include:
- No storage of Cardholder Data: Merchants must not store the full PAN (Primary Account Number), magnetic stripe data, or CVV after authorization.
- Restricting Physical Access to Cardholder Data and Payment Devices: Merchants must physically secure terminals to prevent tampering, regularly inspect devices for signs of tampering or substitution, and train staff to report suspicious behavior near terminals.
- No Terminal Internet Connection: Payment terminals must not be connected to the internet and should connect only through dial-up or a dedicated cellular line.
PCI DSS SAQ B-IP
SAQ B-IP is for merchants who use terminals with an IP connection to the payment processor, but the terminals are not connected to any other systems within the merchant environment. The merchant does not store account data in electronic format. Some SAQ B-IP requirements that differentiate it from SAQ B include:
- Configure and Maintain Firewalls: Merchants must implement network segmentation and firewall rules to restrict traffic to and from the payment terminals. Firewalls must only allow required communication paths between the terminals and the payment processor.
- Authentication Controls for Remote Access: A unique ID for each user and strong authentication are required if remote access is needed for support.
- Harden Terminals and Network Components: Merchants must follow security configuration standards, such as disabling unnecessary services and protocols and configuring secure remote access.
- Install Vendor Security Patches Within One Month of Release: This applies to terminals and any routers or networking devices in the CDE.
PCI DSS SAQ C
SAQ C is for merchants that use terminals connected to the internet but are not connected to any other systems in the merchant’s environment. To be eligible for SAQ C, merchants must not store account data electronically. Brick-and-mortar and mail/telephone order merchants can use SAQ C, but e-commerce merchants and service providers cannot. SAQ C is for environments with more complexity and risk than those that use SAQ B or SAQ B-IP. Requirements in SAQ C include:
- Network Access Controls: Inbound and outbound traffic is restricted to only what is necessary for payment processing, and a firewall must be installed and maintained to protect the CDE.
- System Hardening and Secure Configurations: Vendor-supplied defaults for system passwords and settings must be changed, and secure configurations must be applied to POS systems and network devices.
- Personnel Access Control: Access to systems handling cardholder data must be limited to authorized personnel who must have unique IDs. Strong password policies and session timeouts are required, as is multi-factor authentication (MFA) for remote access to the CDE.
- Protect All Systems and Networks from Malicious Software: Install and maintain anti-virus/malware protection on all systems commonly targeted by malicious software.
PCI DSS SAQ C-VT
SAQ C-VT is for merchants that manually enter a single transaction at a time via a keyboard into an Internet-based virtual payment terminal solution and do not store cardholder data on a computer system. Key requirements include:
- Single-Purpose Workstations: Workstations used for entering payment data must be dedicated solely to that purpose. No email, web browsing, or other non-payment activities are allowed to minimize the risk from malware and phishing.
PCI DSS SAQ D
SAQ D is the most comprehensive of the PCI DSS SAQs. There are two versions, Merchant and Service Provider.
SAQ D Merchant applies to merchants that don’t meet the criteria for other SAQs. Examples of merchants that would use SAQ D Merchant include:
- E-commerce merchants that accept account data on their website.
- Merchants with electronic storage of account data.
- Merchants that don’t store account data electronically but that do not meet the criteria of another SAQ type.
- Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.
SAQ D Service Provider applies to third-party entities that handle cardholder data on behalf of merchants or other organizations.
Service providers are the only entities that must use SAQ D, as it is the only SAQ option available to them. Additional requirements for SAQ D Service Providers include:
- Reviewing and documenting access privileges at least once every three months, while merchants are only required to do this every six months.
- Detecting and issuing alerts for failures of security mechanisms (e.g., logging, antivirus) and responding promptly.
- Performing log reviews at least quarterly in addition to daily log reviews, whereas merchants only need daily reviews.
- Formally acknowledging in writing that they are responsible for the security of cardholder data they process or manage for clients.
- Reviewing TLS and cryptographic usage annually to ensure secure configurations.
- Conducting a separate risk assessment specific to the services they provide to clients.
PCI DSS SAQ P2PE
SAQ P2PE is for merchants that process account data only via a Point-to-Point Encryption (P2PE) solution and do not have access to clear-text account data on any computer system. An example is a merchant who receives account data on paper or over the telephone and keys it directly into a payment terminal from a validated P2PE solution. This SAQ is shorter than SAQ D or C. Some of its key requirements are:
- Maintaining a current inventory of all P2PE devices and protecting them from tampering or substitution.
- Training staff to recognize suspicious activity.
- Ensuring devices are installed and managed according to vendor guidance.
- Maintaining records of device shipments, deliveries, and activations.
- Having an incident response plan.
- Documenting security policies related to the P2PE environment.
What if you don’t qualify for an SAQ?
If a merchant or service provider does not meet the eligibility criteria for any of the other SAQ types, they must use SAQ D, the most comprehensive questionnaire. This applies to a wide range of organizations, including e-commerce merchants that accept account data directly on their website, or any merchant that stores cardholder data electronically. As a service provider, there is only one SAQ option: SAQ D.
Should you do an SAQ on your own or with a QSA company?
While merchants at levels 2-4 and level 2 service providers can complete an SAQ on their own, working with a QSA company can be highly beneficial. A Qualified Security Assessor is an individual certified by the PCI SSC to conduct assessments of an organization’s compliance. An assessment performed by a QSA provides an impartial and independent evaluation of an organization’s compliance with PCI DSS. They have expertise in the nuances of the standard and can help interpret complex requirements and provide actionable steps. A QSA can also help with risk management, identifying vulnerabilities, and guiding organizations on best practices.
After completing the assessment, a QSA can issue and sign an Attestation of Compliance, a formal document that attests to an organization’s compliance with PCI DSS and serves as proof that the necessary security controls are in place. For businesses that are unsure how to apply the requirements, or for those with complex environments, a QSA can provide clarity and assurance that security controls are effective. Working with a QSA can also help streamline the process and reduce the scope of the assessment, which can ultimately decrease the cost of compliance.
CompliancePoint is an authorized PCI QSA. We have helped organizations of all sizes and in many industries prepare for a successful PCI assessment/audit. Contact us at connect@compliancepoint.com to learn more about our PCI attestation and consulting services.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.