PCI SAQ Made Easy
How Businesses Can Opt for a Shortened PCI Self-Assessment Questionnaire
Merchants processing credit cards are required to pass an annual assessment of PCI DSS compliance. The assessment type depends on the number of credit card transactions a business processes and whether those sales are made from a physical location or over the internet.
Level 1 merchants processing more than six million card transactions a year undergo an on-site security assessment. Smaller companies that fall under Levels 2, 3 and 4 must complete the PCI SAQ (Payment Card Industry Self-Assessment Questionnaire). The results of these assessments are then provided to the business’ acquirer or payment brand.
There are four different versions of the SAQ – A, B, C and D. Each SAQ is intended to address different circumstances depending on how a company stores, processes or transmits cardholder data.
Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
Imprint-only merchants with no cardholder data storage OR stand-alone dial-up terminal merchants, no cardholder data storage.
Merchants with payment application systems connected to the Internet, no cardholder data storage.
All other merchants not included in descriptions for SAQ A, B or C and all service providers defined by a payment brand as eligible to complete an SAQ.
To simplify, if a business stores electronic cardholder data they must complete the SAQ D. If they do not, they complete one of the other three, depending on the other factors indicated. Many businesses need to access their customer’s credit card information several times, either to credit a card or to charge a recurring payment, and thus find themselves completing the SAQ D. The SAQ D is the longest SAQ at 31 pages.
Businesses in this situation, however, have a way to opt for a shortened PCI SAQ - by outsourcing the data storage. Several companies offer a service to move a business’ sensitive information to a PCI DSS compliant data storage facility. Businesses then access customer card information using a unique identifier that “points” to the actual data. The result is more security for customers and a shortened SAQ. Because the business no longer stores cardholder data, they can now complete the SAQ C, which is far shorter at 16 pages.