PCI SAQ Compliance

PCI SAQ is applicable for small merchants and service providers who does not need to go for an onsite Audit and submit a report on compliance to their acquiring Banks or Payment brands, but need to comply with all the applicable requirements in PCI DSS standard. Based on the business model, one or multiple SAQ types might be applicable for your organization.

PCI SAQ CONSULTING

Crossbow can assist you with identifying the right SAQ applicable for you based on your business model and guide you through the assessment questionnaire and the documentation requirements. We will also help you understand the intent of each requirement and consult you on implementing the right security control to meet the requirements.

We will do a comprehensive audit at the end of Implementation stage to ensure your infrastructure is secure. Audit reports and evidence documentation from CSAP program are designed to meet various Compliance standards and eases your workload to meet various regulatory compliance requirements.

PCI SAQ TYPES

PCI SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

PCI SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Applicable only to e-commerce channels

PCI SAQ B: Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

PCI SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

PCI SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.

PCI SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.

PCI SAQ P2PE-HW: Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

PCI SAQ D For Merchants: All merchants not included in descriptions for the above types.

PCI SAQ D For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

*SAQ types Info Source: https://www.pcisecuritystandards.org

X