SAQ (Self-Assessment Questionnaire) is a self—assessment sheet for organizations that need to comply with the PCI DSS standard. It is used in situations where a company undergoes a light audit instead of an ASV scan.
To pass the SAQ, one of the requirements must be met: the customer is not a financial institution, processing center or global provider, or the number of transactions does not exceed 300,000 during the year.
PCI DSS compliance
Types of SAQ
Depending on the method of processing electronic payments, the self-assessment sheet is divided into eight types.
- Type “A”. It is assigned to organizations that do not use bank cards for payment. They involve third-party companies that have been fully audited in accordance with the PCI DSS standard. They are just an end-user money router.
- Type “A-EP”. The legal entity has its own website, but a third party is involved for payment, which has been audited. This option applies to e-commerce channels.
- Type “B”. Organizations use stand-alone terminals that connect to the provider via a telephone line to make payments.
- Type “B-IP”. The company uses free-standing electronic terminals that comply with the PCI DSS standard. The connection is made via TCP/IP protocol.
- Type “C-VT”. To make an electronic transaction, a legal entity manually enters the bank card data into the terminal each time. It connects to an external network via TCP/IP protocol and complies with PCI DSS standard.
- Type “C”. The organization makes payments through POS terminals that are connected to the Internet directly or through a proxy server.
- Type “P2PE”. In this case, the company uses only certified P2PE products.
- Type “D”. Applicable to all other companies that do not match the types above.
In all variations of SAQ, information about the owner of the bank card is not stored, transmitted or processed on the organization’s side.
The process of filling out the self-questionnaire is difficult due to the specifics of the wording. If the customer has difficulties, it is recommended to contact a third party who has the necessary certificates.
Companies that are ready to assist in completing the self-assessment sheet undergo paid internal audit training in accordance with the PCI DSS standard.