- Contact Us
PCI self-assessment questionnaires (SAQs) are tools that merchants and service providers must complete as evidence of their completion of the PCI DSS self-assessment. These SAQs need to be submitted yearly to your acquiring bank to demonstrate compliance with the latest version of the PCI Data Security Standards, which is currently PCI DSS 3.2.
When you navigate to the PCI Security Standards Council website, you will see a list of 8 PCI SAQs to choose from, based on your organization and how you process credit card transactions. Needless to say, choosing the right one can be a bit confusing and overwhelming. While the PCI Security Standards Council has a chart that you can review here, I wanted to give you a quick rundown on the different PCI SAQs, the conditions that you must meet for each SAQ, how they differ from one another, as well as a tip on how to choose the right one. Here are the SAQs:
As you can see, the list of SAQs is long and can be overwhelming on which one you should complete. Here are a couple of guidelines you can use to help narrow down the appropriate SAQ to complete:
Card Not Present Transactions - SAQ A, SAQ A-EP, SAQ D
Card Present Transactions - SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ P2PW-HWE, and SAQ D
Service Providers - SAQ D
Here is the one tip that I want to give to merchants to help you select the appropriate PCI SAQ to complete: Ask your acquiring bank! If you aren't sure, ask. They are going to be the ones that can tell you without a doubt which SAQ is appropriate based on your environment so pick up the phone and call them. Eliminate the guesswork and confusion and get the answer from the source.
Feel free to contact us with any PCI compliance questions that you have or drop a question in the comments below!