PCI DSS Compliance Blog: PCI SAQ Made Easy

« As Hackers Get Smarter, Data at Rest Increasingly Vulnerable | Main | Cost of PCI Compliance »


PCI SAQ Made Easy

How Businesses Can Opt for a Shortened PCI Self-Assessment Questionnaire

Merchants processing credit cards are required to pass an annual assessment of PCI DSS compliance. The assessment type depends on the number of credit card transactions a business processes and whether those sales are made from a physical location or over the internet. 

Level 1 merchants processing more than six million card transactions a year undergo an on-site security  assessment.  Smaller companies that fall under Levels 2, 3 and 4 must completeCredit card transaction the PCI SAQ (Payment Card Industry Self-Assessment Questionnaire). The results of these assessments are then provided to the business’ acquirer or payment brand.

There are four different versions of the SAQ – A, B, C and D.    Each SAQ is intended to address different circumstances depending on how a company stores, processes or transmits cardholder data.

Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

Imprint-only merchants with no cardholder data storage OR stand-alone dial-up terminal merchants, no cardholder data storage.

Merchants with payment application systems connected to the Internet, no cardholder data storage.

All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ. 

To simplify, if a business stores electronic cardholder data they must complete the SAQ D.  If they do not, they complete one of the other three, depending on the other factors indicated.  Many businesses need to access their customer’s credit card information several times, either to credit a card or to charge a recurring payment, and thus find themselves completing the SAQ D.  The SAQ D is the longest SAQ at 31 pages. 

Businesses in this situation, however, have a way to opt for a shortened PCI SAQ - bPCI SAQy outsourcing the  data storage.  Several companies offer a service to move a business’ sensitive information to a PCI DSS compliant data storage facility.  Businesses then access customer card information using a unique identifier that “points” to the actual data.  The result is more security for customers and a shortened SAQ.  Because the business no longer stores cardholder data, they can now complete the SAQ C, which is far shorter at 16 pages.            


TrackBack URL for this entry:

Listed below are links to weblogs that reference PCI SAQ Made Easy:


I am wanting to find out if we need to be PCI compliant.

We take a deposit to hold an RV for rental threw our website. We do not process the card information, our site links to a gateway (Autorize,net).

When a customer arrives to pick-up the RV we take an imprint of the card for the deposit and swipe the card through a terminal connected by dial-up phone. No card data is stored in a computer. The imprint is saved in a safe until the renter returns at which time a charge is entered (if damaged) or it is given to the customer to distroy.

What level and type are we and do we need to comply with PCI?

Terry, Merchants are required (by all payment brands) to be PCI-DSS compliant if they handle payment cards.

The PCI SAQ you would fill out depends on where the card information is being collected. Even if it’s not processed immediately, if the card is initially collected via your own web site (meaning the card is entered on a merchant-controlled web site), then you would need to complete SAQ C.

If the card is initially collected only via an Authorize.net web site, then you would need to complete SAQ A. Otherwise, all stand-alone terminal or imprint-only merchants would need to complete SAQ B. I'd recommend you visit https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions for details on the SAQ’s so you can determine which SAQ you would be required to complete.

I'm struggling with which SAQ I need to take. How do I get a better idea of what SAQ to take?

Jim, Visit https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions for details on the SAQ’s so you can determine which SAQ you would be required to complete.

Good article, and nice blog on !, I will come back again to read more about . Its worthy as well as very important information that gives insight on this subject. You are doing great job to sharing it.

I am working with a federal customer who will partner with Pay.Gov (all PCI DSS certified). Our application will *not* handle any credit card or ACH information. We are passing off to Pay.Gov for all payment processes. However we do have a call center which will be taking credit card and ACH information over the phone. The call center operators all have clearances and back ground checks complete. That said, I think based on our volume that we are a Level 4 and we need to complete SAQ A, but I want to double check that we need to do that at all since we are pushing all storage of credit card, ACH information to Pay.Gov. Any comments or suggestions welcome!

Bill, thank you for your comment. Based on the information you gave, it sounds like you are taking the correct steps to ensure that all compliance requirements are being met. It appears you may need to complete the SAQ A if you are receiving card data over the phone, since the physical card won't be present. Even though you are using a third-party to store your credit card data, it may be best to complete the SAQ since credit card information is being handled and transferred.

You may consider consulting a QSA to make sure that you are in fact taking the proper steps to address their compliance requirements. Please feel free to contact us with any further questions.

I am completing a SAQ D and see reference to an attestation of compliance. Is it requred that this attestation be performed by a 3rd party or can an individual within a company perform this attestation?

Hi Joe,

This is a great question. It’s the responsibility of the merchant to sign this document to confirm they are compliant. Other entities, such as a QSA, can help them through the process (and Part 1 allows the merchant to provide QSA information), but someone within the merchant organization should ultimately sign off (Part 3b) on the merchant version of AOC D.

I hope this helps answer your question.


very interesting subject..nicely put and niche content

The comments to this entry are closed.

Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on