Self Assessment Questionnaire
It is required that all Acquirers and ISO’s adhere to the guidelines of the PCI DSS and ensure that their merchants complete an annual Attestation and Self Assessment Questionnaire (SAQ) along with a vulnerability scan (if applicable).
The “SAQ” is a self-validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.
There are four variations of the SAQ, versions A-D, designed to reflect how merchants process credit cards, store sensitive data and create and manage written security policies. The completed PCI documentation is submitted to the Payment Card Industry Security Standard Council and placed on file.
|SAQ Validation Type||Description||SAQ|
|1||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|2||Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage||B|
|3||Merchants using only web-based virtual terminals, no electronic cardholder data storage||C-VT|
|4||Merchants with payment application systems connected to the internet, no electronic cardholder data storage||C|
|5||All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ||D|
Vulnerability scanning is required for any merchant who processes credit cards through a public facing IP address. The PCI SAQ will help you to determine if a scan is required. The PCI scan evaluates an IP address from a hacker’s point of view to detect any vulnerability that could lead to a data breach.
Vulnerability scanning is required on a quarterly basis, and merchants are required to attest to a passing scan.