by Ben Dwyer Any business that takes credit cards must be compliant with PCI DSS standards. Small businesses will also complete a PCI Self-Assessment Questionnaire (SAQ).
But many business owners find PCI compliance and SAQs confusing or overwhelming. There are even multiple different versions of the SAQ! In this article, I’ll go over the basics to help you understand your responsibilities with the SAQ.
What is the SAQ?
The Self-Assessment Questionnaire (SAQ) is a series of yes or no questions about your security practices. It’s the document you will need to submit to ‘prove’ your compliance with PCI standards. Your credit card processor may be able to help you with the questionnaire, especially if they are charging a PCI compliance fee.
Types of SAQ
As you can see on the PCI website, there are several different types of SAQ. Below, I’ve listed several of the most common and I’ll explain the differences between them to help you determine which one is right for your business.
| SAQ Type | Businesses it Applies To |
| SAQ-A | This SAQ is for businesses that are entirely “card-not-present” meaning online transactions. It does not apply to “card-present” businesses that swipe, dip, or tap credit cards to a physical terminal. It also does not apply to card-not-present transactions that your staff manually keys into your payment system.
Furthermore, this SAQ only applies if the card-not-present business fully outsources credit card processing to third party services, meaning your business / website doesn’t store, process, or transmit any cardholder information. Payment pages redirect to your processor. If you use processor-hosted payment pages or other out-of-the-box ecommerce solutions from your credit card processor, this SAQ typically applies. |
| SAQ-EP | Like the SAQ-A, this questionnaire is for entirely “card-not-present” businesses, but specifies its for businesses that have a website that interacts with the payment environment. That could mean that you load the checkout page in an iframe embedded in your site, host the checkout page on your own site, or other methods that mean your website has a more direct role in the checkout process. |
| SAQ-B | This SAQ applies to card-present businesses that exclusively use a basic stand-alone credit card machine using a phone line for connectivity. Furthermore, the machine cannot store any card information. If the machine stores card info or if you connect via the internet or Bluetooth, this SAQ won’t apply. |
| SAQ B-IP | Like the SAQ B, this questionnaire applies to card-present businesses exclusively using a stand-alone credit card machine that doesn’t store card data, but this one uses an IP connection instead of a phone line. |
| SAQ C | This SAQ is for card-present businesses that use POS systems connected to the internet, and the system doesn’t store any cardholder data. |
| SAQ C-VT | This SAQ is where card-not-present keyed transactions come in. If your staff manually enters card information into a virtual terminal connected to the internet, this questionnaire will apply. |
If your business does not fall into the categories listed above, be sure to check the PCI DSS website for the full list of SAQ types.
Many small businesses fall into SAQ A, B, or C. If you’re still unsure which one applies to your business, be sure to check with your credit card processor or review the PCI website’s longer explanation of SAQ types.
Just need the SAQs themselves? You can go to the PCI website’s document library and search for the SAQ you need.
Understanding the SAQ
The questions in the SAQs vary depending on which version you need for your business. However, I’ll go over a general explanation, using the SAQ C as an example.
The SAQ C is split into several sections:
Section 1 – General business information, such as name and location
Section 2 – This section is split into multiple subsections, including:
- Executive summary, such as how you take payment, transmit data, and what solutions you use
- In-scope facilities, meaning which of your location(s) are covered by this SAQ
- Lists of third-party service providers you use
- Summary of whether you meet the specific requirements that are detailed in the rest of the document
Section 3 – Validation and attesting to the results
Section 2 is the bulk of the document, with multiple pages dedicated to explaining the various requirements and how you can check to see if you meet them. The SAQ is not short (C clocks in at 77 pages) so it’s worth planning an appropriate amount of time to tackle it in advance.
For each requirement, you’ll need to check off yes, no, or not applicable. If you select “no,” you will also typically need to include plans to become compliant. Be honest with the questionnaire. It’s better to list a no and make a plan to resolve it than to lie on the document.
Planning for your SAQ
Since the SAQs are lengthy, it’s best to tackle them in smaller chunks.
For example, the SAQ C has 12 requirements, each with multiple subsections. You could start by taking a look at each requirement, noting the number of subsections, and determining how much time to allocate to that requirements. Perhaps you prefer to have a set amount of time, like spending 1 hour per day, or you may prefer a results-based option like completing one subsection of requirements per week.
Requirement 12 is about maintaining an information security policy, specifically “support information security with organizational policies and programs.” It specifies that the policies can be right-sized to match the complexity of your business’s operations and must be provided to your staff so they’re aware of their responsibilities.
You might look at requirement 12, see that it has multiple subsections, but realize that many of them will have the same expected “testing” such as interviewing your staff about the policies. So you may decide to tackle one requirement per week or group several together, and then do the “testing” all at once.
Whatever method you use, remember that documentation will be key, so be sure to write down your processes and have a plan in place to review them on a regular cadence.
Further Assistance
Still need help? You have a few options: try your credit card processor. Many processors charge a PCI compliance fee, intended to help you with achieving and maintaining PCI compliance. If your processor charges that fee, it’s worth checking into what it covers and how you can get assistance.
If your processor won’t help or you just want more involved assistance, you can consider hiring a Qualified Security Assessor (QSA) who is an expert in PCI. In most cases, you aren’t required to use a QSA, but they can provide expert guidance if you find it necessary.
Consequences of PCI Non-Compliance
PCI compliance can seem like a hassle, but the repercussions can be large. PCI standards are designed to increase security and minimize risk of things like data breaches. Small businesses are particularly vulnerable to data breaches, since they often don’t have dedicated cybersecurity staff. Data breaches can cost you tens of thousands in fees and damages, to say nothing of the damage to your brand and reputation.
More immediately, many credit card processors charge a PCI non-compliance fee for every month that you are not compliant. This is money down the drain for you. As soon as you become compliant, that fee will stop.
With many small businesses constantly under pressure to keep costs down, needlessly paying a PCI non-compliance fee only hurts you. Need to cut costs even further? Make sure you’re not overpaying for credit card processing in the first place. Sign up for a free CardFellow.com account to compare pricing from various processors and see if you’re getting a good deal with your current processor. Try it today!
