Article

PCI Compliance: which SAQ is right for me?

SAQs come in a number of formats: choosing the right one is critical.

In order to assist merchants and service providers in validating compliance with the PCI DSS, a number of Self -Assessment Questionnaires (SAQs) have been made available, each applicable to a specific payment scenario. Dependent on the volumes of card data transacted, validation can be by self-assessment and the relevant SAQ documentation, rather than formal audit.

Choosing the right SAQ is critical, as incorrect submissions could invalidate your compliance and expose your organisation to greater risk of payment card data breaches.

The completed SAQ is delivered along with a signed Attestation of Compliance (AoC) by an officer of the company responsible for compliance (usually the Chief Financial Officer or equivalent). For merchants, the SAQ and AoC are delivered to their acquirer(s); service providers submit SAQs to the appropriate card brands (Visa, Mastercard, American Express, JCB and Discover).

There are various types of SAQ available and they were recently enhanced post the PCI DSSversion 3.0/3.1 releases:

SAQ A

SAQ A applies to card-not-present merchants (e-commerce or mail/telephone order) who have completely outsourced all cardholder data processing functions and have no electronic storage, processing or transmitting of cardholder data. The service providers managing cardholder data on behalf of the merchant must also be validated as PCI compliant; otherwise their environment must also be assessed as part of the merchant’s compliance program.

Entirely outsourcing all cardholder data functions does not mean a merchant does not have to be PCI compliant, as cardholder data is still being processed (by a third-party) using their merchant ID. However, the requirements that the merchant must comply with are minimal.

Completing and maintaining SAQ A is therefore a fairly trivial exercise for merchants and the requirements address two key areas. Firstly, any paper copies of cardholder data (such as merchant copy receipts or reconciliation reports) must be physically protected or destroyed. Secondly, a list of service providers should be maintained and their compliance status monitored.

This type of SAQ would not be applicable for face-to-face channels.

SAQ A-EP

This is one of the newer additions to the SAQ types and has been designed to apply to e-commerce merchants who partially outsource all payment processing to PCI DSS compliant service providers. The merchant will typically have a website that redirects consumer users to a payment processor at point of payment, but the web server itself does not electronically store, process or transmit card data. However, the manner in which the consumer is redirected to the payment processor and where the payment page components are provisioned from, will dictate whether SAQ A or A-EP would be the most suitable. Many merchants who previously used SAQ A now fall under SAQ A-EP for validation.

In summary, if all elements of the payment form originate from the payment processor (e.g. a straight redirect or iFrame) then SAQ A can be used. For other methods such as direct post (browser API/silent order post), JavaScript created forms, or if the website itself collects the payment data and sends it to the payment processor, SAQ A-EP should be used.

This SAQ type is only applicable to e-commerce channels.

SAQ B

SAQ B applies to merchants with no electronic cardholder data storage and who process payments either by standalone terminals or imprint-only machines.

Modern payment terminals are often referred to as PEDs (pin-entry devices) or previously as PDQs (Process Data Quickly terminals). These terminals rarely rely on direct dial-up connections anymore and can have multiple connection types, such as Bluetooth, Ethernet and GSM/LTE. Meeting the eligibility criteria can seem difficult, but in actual fact, the acquirers we have worked with were happy to accept a completed SAQ B for terminals that connect via these means, as long as they are isolated from other network components.

Imprint machines (affectionately referred to as knuckle busters by those who use them) are still in place in some bricks-and-mortar merchant premises, though they are increasingly falling out of use. It is extremely rare for a merchant to use imprint-only machines as the sole method of taking payments.

This SAQ type is not applicable to e-commerce channels.

SAQ B-IP

Another new addition to the SAQ types and is used for merchants who process payments via standalone PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor. This type of transaction can apply to brick-and-mortar (card present) or mail/telephone order (card-not-present) merchants, but there is no electronic storage of card data. The POI devices should be isolated from any other systems and the only retention of card data is on paper merchant receipts.

This SAQ type is not applicable to e-commerce channels.

SAQ C-VT

SAQ C-VT was developed for a specific environment and contains some subtle differences toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment solutions for merchants with no electronic cardholder data storage.

This service is offered by a number of payment processers and acquirers, and is most commonly used by call centre agents entering details manually. A key part of this SAQ is that it applies to environments where operators enter a single transaction at a time.

SAQ C-VT is also often applied mistakenly. Whilst it has a very clear purpose, merchants often find it difficult to meet the validation criteria. This is because the terminals used to enter payments must be isolated in a single location and not connected to other systems in your environment. The most common implementation is via thin-client terminals or individual systems with dedicated Internet access and host-based firewall restrictions.

This SAQ type is not applicable to e-commerce channels.

SAQ C

SAQ C applies to merchants with a payment application connected to the Internet and no electronic storage of cardholder data. It normally applies to small merchants who have deployed out-of-the box software to a standalone machine for taking individual payments.

Whilst this SAQ was written with small bricks-and-mortar merchants in mind, it is often found to be the most appropriate SAQ for merchants with no cardholder data storage who process payments via in-house call centres and web-hosted payment entry. This type of environment is what SAQ C-VT (described above) has been written to address, though the eligibility criteria exclude environments that do not have isolated standalone workstations. As such, SAQ C covers the key controls that should apply to a call centre environment though not expressly meeting the validation criteria.

This SAQ type is not applicable to e-commerce channels.

SAQ P2PE

This new SAQ type has been introduced for merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. It can apply to both brick-and-mortar (card present) and mail/telephone order (card-not-present) merchants. Card data is only ever keyed directly into a P2PE validated hardware device and there is no electronic storage of card data.

This SAQ type is not applicable to e-commerce channels.

SAQ D

SAQ D is the final SAQ and applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers. SAQ D encompasses the full set of over 200 requirements and covers the entirety of the PCI DSS. If you are a service provider, this is the only SAQ you are eligible to complete. The only change from previous SAQ reporting is that there are now separateSAQ Ds and AOCs for merchants and service providers.

Because SAQ D is the default catch-all SAQ, there may still be parts of it that are not applicable to your environment. One example is the requirement that track data from the magnetic stripe is not stored; this is not relevant for card-not-present transactions. It is acceptable to mark these as ‘Not Applicable’ or ‘N/A’ with appropriate justification.

This SAQ will take considerable time for a merchant or service provider to complete. Many organisations find that their resources are better spent on either reducing the scope of their environment to a point where they meet the criteria for another SAQ or engaging a QSA to assess the environment directly.

If card data is stored electronically as part of payment processing, then this SAQ type will always be applicable.

Conclusions

When self-assessing, it is important that the right SAQ is chosen. Often organisations will find that they do not meet all of the eligibility criteria for the SAQ they would like to complete and are burdened with the full set of PCI DSS requirements. Engaging a QSA can provide invaluable assistance in determining which SAQ is most applicable and reducing the scope of your cardholder data environment. Furthermore, an SAQ counter-signed by a QSA has significantly more credibility.

PCI Online Document Library

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.