Self-Assessment Questionnaire A is the most basic of all the PCI validation types. It was developed to address the needs of merchants who don't personally process any card data electronically. The requirements that apply to SAQ A merchants are very few. There are only two sections from the full PCI DSS that merchants must complete, for a total of 13 questions.
SAQ A only requires merchants to provide physical access security to cardholder data and also maintain policies that address information security for personnel. Even though there are only 2 sections presented in SAQ A, all merchants are required to comply with the PCI DSS in its entirety. If you have properly identified yourself as an SAQ A, then all other points not listed on the form won't apply to your specific situation.
Who it applies to:
Self-Assessment Questionnaire A focuses on merchants who don't have any face-to-face transactions (100% card-not-present) and also don't digitally store, process, or transmit any cardholder data. These types of merchants deal only in e-commerce and mail/phone orders. For payment processing SAQ A merchants rely solely on outsourced third party payment processors like PayPal or Google Checkout. This means that no card data ever touches your systems.
To clarify a little bit, if you are using PayPal, as an SAQ A merchant, you need to be using the setup where customers are physically directed away from your site to PayPal's before any card data is entered. The applicable PayPal implementations would be "Website Payments Standard" or "Express Checkout". If you use PayPal "Website Payments Pro" then an SAQ A is not the right form for you.
One more thing to note about the third party payment provider, in order for you to be eligible to use SAQ A they must be PCI compliant. You need to be able to confirm that they have gone through a PCI assessment and passed. Usually you can find this type of information on the service providers website, or by asking a sales agent. The company will need to produce a signed certificate of compliance.
The last point to determine eligibility for SAQ A has to do with storing card data. If you choose to store any data that your processor or customer might provide you, then it can only be received and stored in paper form. You can't have any data in an electronic format. For example if you do mail orders you can't have a customer email you his card information. Or if you get reports from your processor that have card data it can't be emailed to you.
In summary, here are the bullet points to qualifying for SAQ
- Only card-not-present transactions (e-commerce, mail/telephone orders)
- Rely entirely on PCI compliant third party providers to process payments
- Only receive and store card data in paper form (no electronic card data)
How to become compliant:
Because of the way SAQ A merchants process data, their PCI requirements for reporting are very simple. Since they don't actually process, transmit or store card data, they don't need to scan any computer systems, review system configuration, or audit coding practices. The only real requirement is to make sure they meet all the requirement listed in SAQ A, then fill it out and submitted to their acquiring bank.
Merchants need to report their PCI compliance status every year. Each year before your compliance deadline you should review the current SAQ A form, which can be found here and conduct an audit of your policies and procedures. Check to make sure that everything is current and in line with what is required by the PCI SSC. By conducting an annual assessment of PCI requirements you can be sure you are maintaining a solid baseline of security to protect against potential threats.