Self Assessment Questionnaire
It is required that all Acquirers and ISO’s adhere to the guidelines of the PCI DSS and ensure that their merchants complete an annual Attestation and Self Assessment Questionnaire (SAQ) along with a vulnerability scan (if applicable).
The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.
There are eight variations of the SAQ, versions A-D, designed to reflect how merchants process credit cards, store sensitive data and create and manage written security policies. The completed PCI documentation is submitted to the Payment Card Industry Security Standard Council and placed on file.
Vulnerability scanning is required for any merchant who processes credit cards through a public facing IP address. The PCI SAQ will help you to determine if a scan is required. The PCI scan evaluates an IP address from a hacker’s point of view to detect any vulnerability that could lead to a data breach.
Vulnerability scanning is required on a quarterly basis, and merchants are required to attest to a passing scan.