PCI DSS: which SAQ best applies to your organisation?

Organisations that store, transmit or process cardholder data, regardless of their size or volume of transactions, must comply with the Payment Card Industry Data Security Standard, also known as the PCI DSS. Whether you are a merchant or a service provider – software developers included – the PCI DSS applies to you if you process, store or transmit cardholder data, or if your activities affect the security of the cardholder data during processing and transmission.

To demonstrate compliance with the Standard, companies must complete an audit of the cardholder data environment. There are two types of audits:

  • Report on compliance (RoC) – completed by a PCI QSA organisation, like IT Governance, or by an internal security assessor (ISA). This usually applies to companies with complex cardholder data environments.
  • Self-assessment questionnaire (SAQ) – signed off by an officer of the merchant or service provider. This usually applies to companies with less complex cardholder data environments.

RoC or SAQ?

The type of audit depends on:

  • The type of the organisation (merchant or service provider);
  • The volume of annual transactions;
  • The payment channels adopted.

Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own compliance requirements, so they establish the eligibility criteria for SAQ or RoC.

Which SAQ best applies to your organisation?

It is very important to choose the right SAQ. If you are not sure which one applies to your organisation, contact your acquiring bank before starting the process. Here is a table to help you understand which SAQ to complete:

SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants whose cardholder data functions are all outsourced. This doesn’t apply to face-to-face merchants.
A-EP E-commerce merchants that outsource their payment processing but not the administration of the website that links to it.
B Imprint-only or dial-out merchants with no electronic cardholder data storage.
B-IP Merchants that use standalone PEDs connected to the processor via an IP connection.
C-VT Merchants that use only web-based virtual terminals (no electronic cardholder data storage).
C Merchants with payment application systems connected to the Internet (no electronic cardholder data storage).
D All other merchants not included in SAQ types A through C above, and all service providers that a payment brand determines are eligible to complete the SAQ.
P2PE-HW Merchants with only hardware payment terminals included in a validated PCI SSC-listed P2PE solution (no electronic cardholder data storage).

Valid resources to help you with the SAQ submission

Completing the SAQ can be daunting if you don’t know much about the PCI DSS. Fill your knowledge gap by attending the PCI DSS Foundation Training course. In one day only, our Qualified Security Assessor (QSA) trainer will introduce you to the PCI DSS and provide practical tips to get started with a PCI DSS compliance project. If you have already started the project but you are struggling to get to grips with it, our PCI DSS SAQ Validation and Support service can help you find the easiest path.

Call us on +44 (0) 845 070 1750 or email servicecentre@itgovernance.co.uk to discuss your requirements.