ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / Which PCI SAQ Do I need?

We totally understand… its daunting to figure out which PCI DSS Self-Assessment Questionnaire (SAQ) you need to complete for your business. After all, there are nine of them!

Yes! you need to review where your business fits… or better yet… email ksimon@controlcase.com to schedule a quick call that will help you figure this out!

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments:

1. SAQ A – Perhaps the simplest one…required if you have full outsourced all your cardholder data functions. So there is NO electronic storage, processing, or transmission of any cardholder data in your systems or premises.

2. SAQ A-EP – Applicable if you do not store, process or transmit cardholder data on your premises or on your systems – you use e-commerce only and have outsource the handling of all card data to a third party. However, although your website doesn’t handle card data, it could still impact the security of a transaction.

3. SAQ B – This one is not for e-commerce environments. It is applicable to merchants who do not store, process or transmit cardholder data BUT they use standalone, dial-out terminals or imprint machines.

4. SAQ B-IP – Also not for e-commerce environments. Required if you only use standalone, PTS-approved payment terminals with an IP connection to the payment processor and have no electronic cardholder data storage.

5. SAQ C-VT – Also not for e-commerce environments. Required if you use a virtual terminal on a computer that is solely for card processing. Again no electronic cardholder data is stored.

6. SAQ C – Required if you have a payment application connected to the Internet; even if you do not store any cardholder data.

7. SAQ P2PE – Required if you are using point-to-point encryption (P2PE) devices; even if you even if you do not store any cardholder data.

8. SAQ D for Merchants – Required if you are handling your own credit card processing or use a P2PE solution. Therefore, you may be storing credit card data electronically.

9. SAQ D for Service Providers – If you are a service eligible to complete an SAQ you need this one!

Completing your SAQ will not only improve your security but it will demonstrate that you consider and care about payment security to your clients, processors and other stakeholders.

FYI, ControlCase assists companies to achieve PCI compliance using SAQ.

Click Here to discuss your specific environment.

Related Blog

Why PCI DSS 4.0 Should Be on Your Radar?
With the release of PCI v4.0, the countdown has started for organizations already PCI DSS Certified to transition from PCI DSS v3.2.1 to the new PCI DSS v4.0 standard. With the timelines of one year to prepare for v4.0 and two years to fully ready for v4.0 future dated requirements, it is time to assess readiness for PCI DSS v4.0 and establish a detailed plan to meet the requirements and timelines.
Aide-Mémoire PCI DSS v4.0
La norme de sécurité des données PCI (PCI DSS) a été établie en 2004 par les principaux émetteurs de cartes de paiement. Elle est maintenue par le Conseil des normes de sécurité PCI. Il fournit des exigences opérationnelles et techniques pour protéger les données des titulaires de cartes.
PCI DSS v4.0
The goals for PCI DSS v4.0 are to continue to meet the security needs of the payment industry, to promote security as a continuous process, to add flexibility for different methodologies, and to enhance validation methods.
Quelles Sont les 12 Exigences de Conformité PCI DSS?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.
Log4j Vulnerability and how to remain PCI DSS Compliant
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.
How to define PCI DSS Scope?
When it comes to scoping for PCI DSS, many organizations struggle to understand where PCI DSS controls are required to be implemented and which systems need to be protected. Many organizations still have problems figuring out which systems are in PCI DSS scope and which systems are not.

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.