What is a self-assessment questionnaire (SAQ)?
For organisations that process less than 6 million transactions, a self-assessment questionnaire (SAQ) is a validation tool that allows merchants and service providers to self-audit their PCI DSS compliance. For some organisations, the appropriate questionnaire is short and simple, while for others it can be long and technical.
If you are struggling with your SAQ give our PCI consultants a call. They can help advise you on which SAQ to complete and offer support and advice to reduce effort and cost.
What is SAQ validation and support?
A PCI DSS SAQ validation service will help you identify the right SAQ to complete and provide the appropriate support and advice to achieve full PCI DSS compliance.
This will involve:
- Identifying the appropriate SAQ to complete; and
- Making suggestions to improve compliance and help to fully populate the SAQ ready for your submission.
Our consultants will help you validate your cardholder data environment, reduce gaps and help you answer technical components of the SAQ enabling you to submit your SAQ with ease.
Find out more about our SAQ Validation and Support service >>
Did you know?
Each SAQ has a different subset of the PCI DSS requirements that are relevant to the payment channel in question, and all of the questions on each SAQ must be answered.
It is possible to mark requirements as ‘not applicable’ (not all can be marked N/A; there are a few that are always applicable), as long as the organisation can justify the non-applicability. It is also possible to use what is called a ‘compensating control’ – a process or technology to reduce risks – but this must be fully risk justified and documented within the SAQ.
Benefits of SAQ validation and support
By receiving SAQ validation and support, you can help your organisation to:
- Eliminate confusion around the SAQ eligibility criteria.
- Get expert QSA assistance with the SAQ and other requirements.
- Determine your risk posture by establishing the gaps between your compliance efforts and the Standard.
- Receive guidance to remediate issues and meet compliance requirements.
- Provides the PCI DSS Self-Assessment SAQ, ready to submit to your acquiring bank.
Is an SAQ validation and support service right for you?
If you are responsible for implementing the PCI DSS in your organisation, you should ask yourself:
- is there a lack if certainty over the correct SAQ to complete?
- are the SAQ reporting requirements too onerous for our business?
- are we struggling to complete the SAQ itself?
- are there controls that we cannot meet and require advice on?
- do we need to evaluate our security practices and plan our journey to compliance?
Our engagement process
The service typically involves several days on-site for our consultants to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Pre-assessment information gathering: Our consultant will discuss your SAQ requirements with key stakeholders and conduct a review of the existing SAQ documentation.
- Assessment and analysis: During this step, we will review the processing and flow of cardholder data through systems and processes, assess any third-party or service provider dependencies and document any evidence to demonstrate compliance.
- Post-assessment: We will provide a report of findings, and make suggestions to lower your validation level, such as scope reduction, and submit an attested SAQ, signed off by a QSA.
Find out more about our SAQ Validation and Support service >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.