Now that you have decided to create/configure your business to accept credit cards as one form of payment for the goods or services you offer to your customers, you may be curious what impact that decision will have on your business operations. Working towards aligning your policies, procedures, standards, and controls with the requirements set forth in the Payment Card Industry Data Security Standard (PCI DSS) can be quite adventurous. There are likely to be some agonizing choices about how best to protect the cardholder data that you either store, process, or transmit. You might even question the decision to accept credit card payments. Are the benefits derived from accepting credit card transactions worth the headaches?
While that is a question I cannot answer for you, I can emphatically tell you this: if your business model includes accepting credit card payments, you have the responsibility to validate on a periodic basis that your suite of controls remains in compliance with the PCI DSS. If your respective acquirer or payment brand does not require you to submit a PCI DSS Report on Compliance (ROC), then you are eligible to evaluate your compliance utilizing a self-assessment questionnaire (SAQ). However, there are multiple versions of the PCI DSS SAQs to meet various scenarios. I have seen many of our customers struggle with the same challenge – which SAQ should I complete? When determining which SAQ is right for your organization, technical details do mater!
The following are some of the core questions you will have to ask yourself in determining which SAQ to select for your self-assessment:
- Are you a mail-order, telephone, or e-commerce merchant that does not accept physical credit card payments (often referred to as “card not present transactions”) and have fully outsourced your payment processing to a PCI DSS compliant service provider?
- If yes, you should select SAQ A if you do not directly store, process, or transmit cardholder data. In this scenario, the transaction is passed directly to the payment processor by a website iFrame or is fully redirected to the payment processor.
- If you accept e-commerce transactions which are outsourced but your website delivers some elements of the payment page, then you should select SAQ A-EP.
- Do you process transactions only via imprint or dial-out machines or via approved PIN transaction security (PTS) devices?
- If yes, and your device has internet access (assigned an IP), you should select SAQ B-IP.
- If yes, but your device doesn’t have internet access, you should select SAQ B.
- Do you process transactions via a payment application connected to the internet AND you are not an e-commerce merchant?
- If yes, and transactions are processed via a payment application on a Point of Sale (POS) terminal or a PC with an internet connection, you should select SAQ C.
- If yes, and transactions are processed via your web browser sending to a service provider’s virtual payment application, you should select SAQ C-VT.
- If you answer no to all of the above questions, then there is the “catch all” of SAQ D. In addition, if you are a payment processing service provider or you store any cardholder data, then you should select SAQ D.
As noted at the beginning of this blog, there can be agonizing choices to make when it comes to implementing controls and validating your PCI compliance. Selecting an improper Self-Assessment Questionnaire for your PCI DSS compliance efforts will likely lead to additional work on your part after your acquirer and/or payment brand reviews your submitted SAQ. You cannot avoid choosing a SAQ. And don’t forget that all of this is subject to change if the DSS is changed in any way. This blog was created with PCI DSS v3.2.1 in place.
As a wise, old knight once said to a swashbuckling adventurer seeking the Holy Grail:
If you are still unclear about which SAQ to complete, we can help. Please contact us here: firstname.lastname@example.org
You can also visit our website to see our available PCI services:
Other helpful PCI DSS links: