ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / Which PCI SAQ Do I need?

We totally understand… its daunting to figure out which PCI DSS Self-Assessment Questionnaire (SAQ) you need to complete for your business. After all, there are nine of them!

Yes! you need to review where your business fits… or better yet… email ksimon@controlcase.com to schedule a quick call that will help you figure this out!

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments:

1. SAQ A – Perhaps the simplest one…required if you have full outsourced all your cardholder data functions. So there is NO electronic storage, processing, or transmission of any cardholder data in your systems or premises.

2. SAQ A-EP – Applicable if you do not store, process or transmit cardholder data on your premises or on your systems – you use e-commerce only and have outsource the handling of all card data to a third party. However, although your website doesn’t handle card data, it could still impact the security of a transaction.

3. SAQ B – This one is not for e-commerce environments. It is applicable to merchants who do not store, process or transmit cardholder data BUT they use standalone, dial-out terminals or imprint machines.

4. SAQ B-IP – Also not for e-commerce environments. Required if you only use standalone, PTS-approved payment terminals with an IP connection to the payment processor and have no electronic cardholder data storage.

5. SAQ C-VT – Also not for e-commerce environments. Required if you use a virtual terminal on a computer that is solely for card processing. Again no electronic cardholder data is stored.

6. SAQ C – Required if you have a payment application connected to the Internet; even if you do not store any cardholder data.

7. SAQ P2PE – Required if you are using point-to-point encryption (P2PE) devices; even if you even if you do not store any cardholder data.

8. SAQ D for Merchants – Required if you are handling your own credit card processing or use a P2PE solution. Therefore, you may be storing credit card data electronically.

9. SAQ D for Service Providers – If you are a service eligible to complete an SAQ you need this one!

Completing your SAQ will not only improve your security but it will demonstrate that you consider and care about payment security to your clients, processors and other stakeholders.

FYI, ControlCase assists companies to achieve PCI compliance using SAQ.

Click Here to discuss your specific environment.

Related Blog

Why PCI DSS 4.0 Should Be on Your Radar?
With the release of PCI v4.0, the countdown has started for organizations already PCI DSS Certified to transition from PCI DSS v3.2.1 to the new PCI DSS v4.0 standard. With the timelines of one year to prepare for v4.0 and two years to fully ready for v4.0 future dated requirements, it is time to assess readiness for PCI DSS v4.0 and establish a detailed plan to meet the requirements and timelines.
PCI DSS v4.0 | Webinar
Deep Dive into notable changes: Promote Security as a Continuous Process Increased Flexibility and Customized Approach Increased Alignment between PCI ROC and PCI SAQ Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.)
Seminario Web PCI DSS v4.0
Los temas por tocar serían: Cambios incluidos en PCI DSS v4.0 Cambios críticos de PCI DSS v3.2.1 a v4.0 Cambios metodológicos de PCI DSS v3.2.1 a v4.0 Nuevos requerimientos que podrían necesitar un mayor esfuerzo en la implementación Desde la perspectiva de Latam
Aide-Mémoire PCI DSS v4.0
La norme de sécurité des données PCI (PCI DSS) a été établie en 2004 par les principaux émetteurs de cartes de paiement. Elle est maintenue par le Conseil des normes de sécurité PCI. Il fournit des exigences opérationnelles et techniques pour protéger les données des titulaires de cartes.
PCI DSS 4.0
Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover: History of PCI DSS (including current version 3.2) PCI DSS v4.0 High-Level Changes PCI DSS v4.0 Timeline
PCI DSS v4.0
The goals for PCI DSS v4.0 are to continue to meet the security needs of the payment industry, to promote security as a continuous process, to add flexibility for different methodologies, and to enhance validation methods.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://www.controlcase.com