The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment.

TrustedSec can help determine which SAQ best applies to your organization, and more importantly assisting in the process of completing the questionnaire.

When self-assessing, it is important that the right SAQ is chosen. Often organizations will find that they do not meet all of the eligibility criteria for the SAQ they would like to complete and are burdened with the full set of PCI DSS requirements. Engaging with TrustedSec can provide invaluable assistance in determining which SAQ is most applicable and reducing the scope of your cardholder data environment. An SAQ counter-signed by a QSA has significantly more credibility.

Potential Liabilities

  • Lost confidence, so customers go to other merchants
  • Diminished sales
  • Cost of reissuing new payment cards
  • Fraud losses
  • Higher subsequent costs of compliance
  • Legal costs, settlements, and judgments
  • Fines and penalties
  • Termination of ability to accept payment cards

PCI Self-Assessment Questionnaire

 

Questionnaire  How Do You Accept Credit Cards?
A  Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Not applicable to face-to-face channels.
A-EP  E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
 B Merchants using only:

  • Imprint machines with no electronic cardholder data storage
  • Standalone, dial-out terminals with no electronic cardholder data storage.
 B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
 C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
 PSPE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
 D For Merchants: All merchants not included in descriptions for the above types.
 D For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

Featured Content

Why Penetration Testing Needs Continual Evolution: Going Purple

Download

Talk with an Expert

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.