What is PCI SAQ?
PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. As the name suggests, it is a self-assessment questionnaire which helps online merchants to check whether they are PCI compliant or not through a series of credit card payment security evaluation questions. The PCI Security Standards Council came up with this questionnaire which helps online merchants become “more PCI compliant”.
Helps Recognize the Extent to Which Merchants Comply with PCI Standards.
Online merchants who handle sensitive credit card transactions sometimes have a hard time recognizing where they are going wrong when it comes to complying with PCI standards; in other words, where they are going wrong in securing their customer online transactions. It may be that they are complying with PCI standards – but not to the fullest extent. This is where PCI SAQ comes in handy, helping these online merchants recognize those gray areas and address them. And increased PCI compliance, in turn, means more secure online transactions.
More about PCI SAQ.
The security assessment questionnaire (SAQ) consists of 12 security requirements sub-divided into 6 broader sections. All sections must be completed. Moreover, there are 9 different versions of the self-assessment questionnaire. The version online merchants need to complete depends on how they handle the credit card data.
Types of PCI SAQ.
Some of the types of PCI SAQ are listed below:
A: This applies to merchants who outsource cardholder data processing functions without storing, processing or transmitting the cardholder data. This test is usually not that complex as the merchant does not handle the cardholder data at all and therefore can be completed easily.
A-EP: This applies to merchants who partially outsource payment processing to PCI DSS compliant service providers (or payment processors). In this case, the merchant will have a website which redirects consumers to the payment processor at the point of payment.
B: Applies to merchants with no electronic cardholder data storage and who process payments either by stand-alone terminals or imprint-only machines.
C: Reserved for merchants using a payment application connected to the internet instead of stand-alone machines for taking individual payments.
D: This is the final SAQ in the list of SAQs and is reserved for merchants who do not meet the criteria for other SAQs; in other words, which do not fit into any other category. The only condition to be met here is the credit card data should be stored as a part of payment processing.
How to Take Up These PCI SAQ Tests?
Taking the SAQ questionnaire directly may be difficult due to its intricacies. But there are wizards like Hackerguardian PCI Compliance that streamline this process. They also provide remediation plans for enhancing the level of PCI compliance for the merchants.
What if merchants ignore this SAQ Test?
Chances are they might be penalised by card brands who may refuse to work with the merchant. The merchant would be unable to process credit or debit cards, and also could become more vulnerable to the risks of data theft.