HISTORY

In the ever-evolving landscape of cybersecurity, the early 2000s witnessed a significant transformation in the realm of PCI DSS. With each passing year, it became increasingly clear that a rigid, uniform approach might not fully address the unique challenges faced by every merchant. It was in this backdrop that the Payment Card Industry Security Standards Council (PCI SSC) took a momentous step forward in 2008 by introducing a game-changing concept: Self-Assessment Questionnaires (SAQs). SAQs were a breath of fresh air for organizations, offering a simplified path to achieving PCI DSS compliance. These self-validation tools were specifically crafted with merchants in mind, paving the way for effortless evaluation of their adherence to the stringent PCI DSS requirements. The introduction of SAQs provided a groundbreaking mechanism, empowering businesses to assess their own compliance status.

Types of merchants

Earliest SAQs were categorized as per the following types of merchants:

• E-Commerce: These are merchants offering customers the option to pay through websites. These kinds of payment channels are usually termed card-not present channels.
• MOTO (Mail Order/Telephone Order): Merchant environments where payment card transactions are made through mail order or telephone channels
• Retail : These merchants were said to offer card-present transaction channels, where customers are able present the cards in person for payment.

What are SAQs?

PCI DSS standard consists of 12 main requirements and more than 300 sub-requirements. Depending on three major factors: card storage, transmission and processing capabilities; PCI SAQs reduce the total number of sub-requirements which a merchant must meet to achieve PCI DSS compliance.

What are different types of SAQs?

• SAQ A: e-commerce or mail/telephone-order merchants (card not present) that do not store, process or transmit cardholder data in an electronic format. All cardholder data functions are outsourced to PCI DSS compliant third party service vendors.
• SAQ A-EP (E-commerce): Merchants who only transact business on a website (no offline card transactions), and don’t store, process or forward any data pertaining to the status of credit cards. Third-party service providers that are PCI DSS compliant handle all payment processing.
• SAQ B: Those merchants who handle cardholder data through imprint machines or standalone dial-up terminals. No electronic cardholder data storage.
• SAQ B-IP: Standalone merchants using PTS-certified payment terminals with an IP connection and that do not store cardholder data.
• SAQ C: Payment application systems for merchants connected to the internet, electronic cardholder data not stored.
• SAQ C-VT (Virtual Terminal): Only web-based virtual terminals used, no electronic cardholder data stored.
• SAQ D for Merchants: Other merchants not covered by the other SAQs. This covers merchants that store cardholder data, process transactions on their own servers or have complex payment processing environments.
• SAQ D for Service Providers: Third-party service providers that store, process or transmit cardholder data on behalf of many merchants. If you are a service provider, not an individual merchant, please answer this SAQ.
• SAQ P2PE-HW (Point-to-Point Encryption – Hardware): Only merchants using PCI PTS-approved hardware payment terminals and having a validated PCI P2PE solution.

SAQs must be selected according to the merchant’s actual payment processing methods and systems. To ensure accurate and compliant self-assessment, merchants must carefully go over the SAQ criteria as well as consult with their acquiring banks or payment processors. For the most current information, make sure to always use the latest version of both PCI DSS and SAQ documents.

Published by: Ankit K J