Compliance with the PCI DSS standard is achieved via different methods. For eligible merchants and service providers, validating and reporting PCI DSS compliance could be via the PCI DSS Self-Assessment Questionnaire (SAQ). The SAQ is a tool for eligible entities to evaluate and report PCI DSS compliance through self-assessment. As the SAQ document is a a significant part of the PCI Council’s tools to help ensure the safety of cardholder data, it is important for all eligible merchants and service providers to complete their SAQ.
PCI’s SAQ Instructions and Guidelines document shows eight types of SAQ, each one designed to accommodate a different scenario depending on how the merchant or service provider stores, processes, or transmits cardholder data. Specifics to a certain merchant’s environment will determine which SAQ should be used, from whether the merchant fully outsources all cardholder data functions to which type of terminal the merchant uses to enter transactions. For organizations with environments that do not fit within a specific SAQ type, the SAQ D would be an appropriate document.
Organizations are often confused regarding which SAQ would be best for their specific scenario. However, resources are in place to assist the merchant or service provider in selecting the correct SAQ. PCI’s SAQ Instructions and Guidelines document is available in the Document Library of the PCI Council’s website and provides a thorough explanation of the various SAQ types. Alternatively, the merchant could consult with the acquirer or directly with the payment brands. Another approach is to consult with a reputable PCI QSA to confirm SAQ eligibility and verify which SAQ would best fit the merchant’s specific environment.