SAQ
SAQ (Self-Assessment Questionnaire) is a self-assessment sheet for organizations that need to be PCI DSS compliant. It is used in situations where a company is undergoing a light audit instead of an ASV scan.
To pass the SAQ, one of the requirements must be met: the customer is not a financial institution, processing center, or global provider, or the number of transactions during the year does not exceed 300,000.
[text_with_btn btn=”Read more” link=”/en-ru/services/info-security/certification-pci-dss/” btn_size=”small”]PCI DSS Compliance[/text_with_btn]Types of SAQ
. Depending on how electronic payments are processed, the self-assessment sheet is categorized into eight types.
- Type “A”. Assigned to organizations that do not use bank cards for payment. They use third-party companies that have been fully audited in accordance with the PCI DSS standard. They are simply a router of end-user funds.
- A-EP type. The legal entity has its own website, but a third party that has been audited is used for payment. This option is applicable to e-commerce channels.
- Type “B”. Organizations use stand-alone terminals that connect to the provider via a phone line to make payments.
- Type “B-IP”. The company uses freestanding electronic terminals that are PCI DSS compliant. The connection is made via TCP/IP protocol.
- Type “C-VT”. A legal entity enters manually the bank card data into the terminal each time to perform an electronic transaction. It is connected to the external network via TCP/IP protocol and complies with PCI DSS standard.
- Type “C”. The organization makes payments through POS-terminals, which are connected to the Internet directly or through a proxy-server.
- Type “P2PE”. In this case the company uses only certified P2PE-products.
- An organization uses only certified P2PE-products.
- Type “D”. Applies to all other companies that do not conform to the types above.
. In all SAQ variations, bank cardholder information is not stored, transmitted or processed on the organization’s side.
The process of completing the self-survey questionnaire is hard because of the specific wording. If the customer has difficulties, it is recommended to contact a third party that has the necessary certifications.
Companies that are willing to assist in completing the self-assessment sheet undergo paid internal audit training in accordance with the PCI DSS standard.