Choosing the right PCI SAQ Services for your Business

Home » Choosing the right PCI SAQ Services for your Business

With increased data theft and security breaches, PCI Compliance has become invaluable for every organization that accepts/transmits/processes/stores cardholder data.  The consequence of non-compliance with PCI DSS regulation is not limited to legal fines. A data breach or data theft of the cardholder data affects the entire payment ecosystem, and the entities might face many financial liabilities. It results in loss of reputation, contract cancellation and other costs of addressing the issue. Also, it is critical to safeguard the customer information as the customer would be less inclined to continue their business with a breached entity.

 

What is PCI SAQ?

PCI SAQ (Payment Card Industry Self-Assessment Questionnaire) is a validation tool that helps service providers and merchants self-evaluate their level of compliance with respect to PCI DSS.

 

Types of PCI SAQs

There are various types of SAQs.

  1. SAQ A:

SAQ A is developed to address the requirements of card-not-present merchants like e-commerce. SAQ A merchants must ensure that,

  • All the cardholder data functions are completely outsourced to a third-party.
  • The third-party service provider must be in compliance with PCI DSS requirements.
  • They accept only e-commerce, phone/mail orders.
  • They do not have control over the method in which cardholder data is processed or captured.
  • They do not store any cardholder data information and retains only paper reports of the payments.

 

  1. SAQ A EP:

SAQ A EP is a newly developed SAQ type that addresses the requirements of partially outsourced e-commerce merchants.

  • The company accepts only e-commerce transactions.
  • The processing of cardholder data is done by an outsourced third-party vendor.
  • The third-party vendor handling the transaction process is PCI DSS compliant.
  • They have an e-commerce website for transaction, that redirects the user to a third-party payment processor.
  • They do not store any cardholder data information and retains only paper reports of the payments.

 

  1. SAQ B:

SAQ B is developed for merchants who use imprint machines, standalone or dial-out terminals for transaction purposes.

  • They use only standalone, PTS-approved Point of Interaction (POI) devices for payment transactions.
  • The standalone devices must not be connected to any other systems within the environment.
  • The transmission of cardholder data is only from the PTS-approved POI device to the payment processor.
  • The company does not store cardholder data in electronic format.

 

  1. SAQ B IP:

SAQ B IP is developed for merchants who process payments via standalone PTS approved POI devices with an IP connection.

  • They use only standalone, PTS approved Point of Interaction (POI) devices with an IP connection for payment transactions.
  • The standalone IP-connected devices must not be connected to any other systems within the environment.
  • The transmission of cardholder data is only from the PTS approved POI device to the payment processor.
  • The company does not store cardholder data in electronic format.

 

  1. SAQ C:

SAQ C is developed for merchants with Payment Application Systems connected to the internet.

  • The company has a Payment Application System and an internet connection in the same LAN.
  • The Payment Application System is not connected to any other systems within the environment.
  • The company retains only paper reports of the payment transactions.
  • The company does not store cardholder data in electronic format.

 

  1. SAQ C VT:

SAQ C VT is developed for merchants with web-based Virtual Payment Terminals.

  • The company’s payment procession mode is only via a Virtual Payment Terminal.
  • The Virtual Payment Terminal is hostel by a third-party provider with PCI DSS validation.
  • The company accesses the Virtual Payment Terminal via a computer that is solely dedicated for this purpose.
  • The company retains only paper reports of the payment transactions.
  • The company does not store cardholder data in electronic format.

 

  1. SAQ P2PE:

SAQ P2PE is developed for merchants using approved point-to-point encryption (P2PE) devices.

  • The payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC.
  • The only device that can store, process or transmit account data is the approved POI device.
  • The company retains only paper reports of the payment transactions.
  • The company does not store cardholder data in electronic format.

 

  1. SAQ D:

SAQ D is developed for all other merchants and service providers who do not meet the criteria for other SAQs.

  • They do not outsource their credit card processing or use a P2PE solution.
  • They store credit card data electronically.
  • They do not store credit card data electronically, but do not meet other SAQ criteria.
  • They have additional PCI DSS requirements applicable to their environment.

 

PCI DSS Compliance Levels

The right PCI SAQ service for your business is determined by the way you process your payment card information and also your merchant level. There are 4 different levels of PCI compliance for merchants as explained below.

  • PCI Merchant Level 1: This level is applicable to all the merchants processing more than 6 million card transactions annually via any channel. Also, the merchants that have experienced an account compromise comes under level 1.
  • PCI Merchant Level 2: This level is applicable to all the merchants processing 1 million to 6 million card transactions annually.
  • PCI Merchant Level 3: This level is applicable to all the merchants processing 20,000 to 1 million card transactions annually.
  • PCI Merchant Level 4: This level is applicable to all the merchants processing less than 20,000 card transactions annually and those who do not come under the other levels.

 

No matter, what level your business falls into, it is important to be in compliance with the PCI DSS requirements. Understanding the SAQs, identifying the suitable ones for your business and completing them is definitely a challenging process. Hence, it is always advisable to select a trusted cybersecurity partner who will provide you with top-notch services to secure your sensitive data.

To know more about our PCI DSS Services, visit https://valuementor.com/pci-dss-compliance/

 

Contact us to know more about our services