Prove your payment card security to your bank through an SAQ.A PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant’s statement of PCI compliance. It’s a way to show that you're taking the security measures needed to keep cardholder data secure at your business.
Each SAQ includes a list of security standards that businesses must review and follow. PCI SAQs vary in length. SAQ A is the shortest with just 22 questions, and the longest is SAQ D with 329 questions.
SEE ALSO: What are the 12 Requirements of PCI DSS Compliance?
Which SAQ is right for me?If you're wondering, "which SAQ is right for me?" there are 9 different SAQs a merchant can choose from. How you process credit cards and handle cardholder data determines which SAQ your business needs to fill out. For example, if you don't have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you do have a storefront that processes credit cards through the Internet and you also store customer credit card data, you're probably an SAQ D merchant.
SEE ALSO: Updating to PCI 3.2 SAQs: The Changes You Should Know
Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:
This table gives more detail about each of the PCI DSS 3.2 SAQ types:
Watch this video to learn what you should know before you begin filling out your PCI questionnaire.
Why are SAQs required?The Self-Assessment Questionnaire isn’t just a roadmap to compliance; it’s a roadmap to better security. Filling out a PCI SAQ is the best way to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide a PCI SAQ as proof of payment security.
SEE ALSO: PCI FAQ
Remember that no matter your SAQ type, you're still required to follow ALL the PCI DSS standards. Doing so may require vulnerability scans, penetration tests, and/or audits.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.