ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / Which PCI SAQ Do I need?

We totally understand… its daunting to figure out which PCI DSS Self-Assessment Questionnaire (SAQ) you need to complete for your business. After all, there are nine of them!

Yes! you need to review where your business fits… or better yet… email ksimon@controlcase.com to schedule a quick call that will help you figure this out!

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments:

1. SAQ A – Perhaps the simplest one…required if you have full outsourced all your cardholder data functions. So there is NO electronic storage, processing, or transmission of any cardholder data in your systems or premises.

2. SAQ A-EP – Applicable if you do not store, process or transmit cardholder data on your premises or on your systems – you use e-commerce only and have outsource the handling of all card data to a third party. However, although your website doesn’t handle card data, it could still impact the security of a transaction.

3. SAQ B – This one is not for e-commerce environments. It is applicable to merchants who do not store, process or transmit cardholder data BUT they use standalone, dial-out terminals or imprint machines.

4. SAQ B-IP – Also not for e-commerce environments. Required if you only use standalone, PTS-approved payment terminals with an IP connection to the payment processor and have no electronic cardholder data storage.

5. SAQ C-VT – Also not for e-commerce environments. Required if you use a virtual terminal on a computer that is solely for card processing. Again no electronic cardholder data is stored.

6. SAQ C – Required if you have a payment application connected to the Internet; even if you do not store any cardholder data.

7. SAQ P2PE – Required if you are using point-to-point encryption (P2PE) devices; even if you even if you do not store any cardholder data.

8. SAQ D for Merchants – Required if you are handling your own credit card processing or use a P2PE solution. Therefore, you may be storing credit card data electronically.

9. SAQ D for Service Providers – If you are a service eligible to complete an SAQ you need this one!

Completing your SAQ will not only improve your security but it will demonstrate that you consider and care about payment security to your clients, processors and other stakeholders.

FYI, ControlCase assists companies to achieve PCI compliance using SAQ.

Click Here to discuss your specific environment.

Related Blog

PCI DSS Compliance Checklist
PCI Asia Pacific Community Meeting
PCI Europe Community Meeting
ControlCase New CEO Reinforces One Audit for Compliance with Multiple Regulations
PCI Security Standards Council Announces 2020 – 2022 Global Executive Assessor Roundtable
How to define PCI DSS Scope?
When it comes to scoping for PCI DSS, many organizations struggle to understand where PCI DSS controls are required to be implemented and which systems need to be protected. Many organizations still have problems figuring out which systems are in PCI DSS scope and which systems are not.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://www.controlcase.com