SAQ

SAQ (Self-Assessment Questionnaire) is a self-assessment sheet for organizations that need to be PCI DSS compliant. It is used in situations where a company is undergoing a light audit instead of an ASV scan.

To pass the SAQ, one of the requirements must be met: the customer is not a financial institution, processing center, or global provider, or the number of transactions during the year does not exceed 300,000.

PCI DSS Compliance

Types of SAQ

. Depending on how electronic payments are processed, the self-assessment sheet is categorized into eight types.

Type “A”. Assigned to organizations that do not use bank cards for payment. They use third-party companies that have been fully audited in accordance with the PCI DSS standard. They are simply a router of end-user funds.
A-EP type. The legal entity has its own website, but a third party that has been audited is used for payment. This option is applicable to e-commerce channels.
Type “B”. Organizations use stand-alone terminals that connect to the provider via a phone line to make payments.
Type “B-IP”. The company uses freestanding electronic terminals that are PCI DSS compliant. The connection is made via TCP/IP protocol.
Type “C-VT”. A legal entity enters manually the bank card data into the terminal each time to perform an electronic transaction. It is connected to the external network via TCP/IP protocol and complies with PCI DSS standard.
Type “C”. The organization makes payments through POS-terminals, which are connected to the Internet directly or through a proxy-server.
Type “P2PE”. In this case the company uses only certified P2PE-products.
An organization uses only certified P2PE-products.
Type “D”. Applies to all other companies that do not conform to the types above.

. In all SAQ variations, bank cardholder information is not stored, transmitted or processed on the organization’s side.

The process of completing the self-survey questionnaire is hard because of the specific wording. If the customer has difficulties, it is recommended to contact a third party that has the necessary certifications.

Companies that are willing to assist in completing the self-assessment sheet undergo paid internal audit training in accordance with the PCI DSS standard.