Self Assessment Questionnaire (SAQ)

The Self Assessment Questionnaire (SAQ)

The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the SAQ designed to meet various scenarios.

Responsibility for PCI Compliance

The PCI Council requires that all merchants are PCI Compliant and the responsibility for ensuring this lies with you, the merchant.

Using the CRE Secure system does not remove the merchant responsibility to complete and maintain compliance. CRE Secure has been designed to make PCI Compliance easier for you. If you operate your business only via a website and you follow our instructions precisely, we find that most merchants are able to qualify for the simplest path to PCI Compliance via SAQ- A (See detail on the SAQ’s below.)

However, because all merchant businesses are different, CRE Secure recommends that you assess your particular business needs carefully with regards to the compliance process and ensure you are following the appropriate requirements. (For example, if you have both a bricks and mortar store AND a web store, the scope of your compliance needs will be reduced by CRE Secure but not eliminated)

SAQ Details

The PCI Council has defined a number of different store levels and requirements for those levels to become PCI Compliant. Level 4 stores process less than 20,000 transactions per year, while Level 3 stores process fewer than 1 million transactions per card brand per year. Level 2 stores can also use the SAQ to self assess under certain circumstances. The 5 categories are shown in the table below. The full documents for each SAQ can be found for your reference by clicking on the relevant links:

SAQ Versions

Please consider each category of SAQ carefully and decide on which merchant category your business falls into. The answer to this question will determine which SAQ will apply to you and can make a huge difference in the scope and complexity of the compliance process.

For example, a merchant using the CRE Secure system who does all business via his/her website only and does not store credit cards in most cases will qualify to use SAQ-A. This SAQ is the simplest of them all and requires answering and dealing with only a small number of 13 requirements.

Alternatively, a merchant NOT using the CRE Secure system, and processing cards through their website and storing cards in the database, will likely fall into SAQ-D which requires dealing with and complying with over 227 requirements.

IMPORTANT

Once you have determined which SAQ is applicable to your business download the relevant SAQ via the links in the table above and fill in the blanks with all information required.

There may be questions you are unable to answer because you do not have the requirements in place. You must attend to those gaps before you can complete the process.

Finally, sign and date the document and send it to your acquirer (your Merchant Bank) via the route specified by each of them. Please contact your acquirer for details on where you must send the completed SAQ.

Your acquirer is the financial institution with whom you have your Merchant Account. If you do not know who that is talk with the ISO or other sales party who set up your original Merchant Account.

A Note about Scans.

Most merchants who utilize CRE Secure will not be required to have regular scans of their website. However the PCI Council has left the determination of this requirement to the merchant banks. For this reason we recommend that you check with your acquiring bank on the need to have scans.

If you are required to have scans our partner Controlscan can assist you with determining the right scanning package for your needs.