PCI Self-Assessment Questionnaire Explained
For the majority of merchants (levels 2 - 4) PCI compliance can be reported through the PCI SSC Self-Assessment Questionnaires (SAQ). Essentially the SAQ is a paired down list of requirements from the full PCI Data Security Standard (DSS). One key thing to remember however, is that just because the requirement doesn't show up on the SAQ questions, doesn't mean you don't have to follow it. With that said, the way the PCI SSC has configured the SAQ forms you probably don't have to worry about it too much. As long as you are using the correct form for the way you run your business you are good to go.
There are currently 5 different SAQ types, A, B, C-VT, C, and D. Each one focuses on a different type of merchant and how they process credit card data. For instance, SAQ B is for merchants that only have face-to-face customers and use dial-up card terminals, where as SAQ D addresses merchants that have Internet type terminals and store card data.
The key to selecting the right SAQ is being familiar with your payment process and your computer network. When it comes to credit card payments there are in-person and card-not-present payments. In-person would be those where the person can physically hand you the credit card to swipe, while card-not-present is your typical online transaction. Knowing which types of payments you have in your business will help in selecting the right SAQ.
There are also 3 basic types of payment terminals to be aware of. The first is the old imprint type, where you make a carbon copy of the card. Not many businesses use these any more. Then there is the dial-up terminal. These types plug into a phone line (not the Internet) and must dial out every time a credit card is processed. These types of terminals are still widely used in many businesses. The last type are IP terminals, or ones with a connection to the Internet. These devices are very convenient because they are always connected to your processor and can conduct transactions very quickly. Most of the newest terminals are IP based.
The last area to cover, in determining your SAQ type, is your computer network configuration. This can get complicated quickly, but for SAQ purposes there is really only one thing you need to know: Does your business have multiple computers connected together or just a lone system. A few telling signs that you are running a network are the existence of things like an Internet router/modem, network switches/hubs, numerous computer systems, and shared printers and other devices. Also the question of which type of network you have only comes into play when you use the IP terminals. Dial-up terminals by nature are not part of a computer network and simplifies your PCI requirements.
There are many SAQ Selector Tools out there that will guide you through the process of determining your SAQ validation type. These tools ask you simple questions about how you process card data and network configuration. With the basic knowledge outlined above you will be able to adequately answer the questions asked by such tools. The Aeris Compliance Engine (ACE) provides one to all merchants with an account. Once you know your SAQ type the next step is to report your compliance.
Now that we have a little bit more of a foundation to what a SAQ is, the next several posts will highlight each of the five SAQ forms and detail the types of merchants that should use them.