As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority.
The Payment Card Industry Data Security Standards (PCI DSS) is essential for protecting consumers against identity theft and credit card fraud. The PCI compliance framework is a set of standards implemented by the consortium of major credit card companies to ensure all merchants process, store, and transmit data securely. It also requires you to submit annual assessments or reports attesting to your security controls.
By 2024, businesses and consumers are expected to spend $10.718 trillion in purchases for goods and services using their debit, prepaid, and credit cards. While those are eye-popping numbers, you must also keep in mind gross fraud losses that amounted to $28.65 billion in 2019. It is essential that you protect your customers and yourself by being PCI DSS compliant.
Completing a PCI Self-Assessment Questionnaire (often called an SAQ) is part of your annual compliance process. The PCI SAQ is a validation tool that consists of questions related to the PCI DSS requirements.
When filling out your SAQ, you’ll need to answer a number of yes-or-no questions about each PCI DSS requirement. If you answer “no” to a question, you may need to provide details about why it is not applicable or the status of remediation efforts in progress.
It also comes with an attestation that includes your declaration of eligibility. Every business that is trying to show PCI DSS compliance must complete the appropriate Self-Assessment Questionnaire (unless your organization is at a higher compliance level which requires a Report on Compliance by a qualified security assessor in an on-site audit). As a reminder, merchant level categories are broken downs as follows:
While businesses with lower transaction volumes and lower compliance level requirements must complete the appropriate SAQ, the higher-level merchants will have more required of them in order to become PCI compliant and submit their Report on Compliance.
Below are the steps you need to take to complete the PCI SAQ:
There are nine different types of PCI DSS Self-Assessment Questionnaire. The SAQ you need to use depends on how you process credit cards. Below is a quick summary from the PCI Security Council:
The SAQ instructions and guidelines from PCI include more details and a flowchart to help you determine what SAQ best applies to your environment. You can also contact your payment card processor or bank to check which SAQ would apply to you.
The next step is to download and fill out the SAQ. Your IT team, CFO, or other equivalents need to answer the questions as accurately as possible to provide a clear picture of the security measures you are taking to protect cardholder data. The questionnaires vary in length depending on the kind of operation you run.
You also have to issue an attestation that comes with the SAQ. This form states that you have completed the SAQ.
Depending on the type of SAQ you complete, your business might be required to do annual or quarterly pen tests or vulnerability tests. These put your systems in a sort of stress test to see if there are weaknesses that cybercriminals can exploit.
When you put security first, you establish multiple layers of defenses that will benefit your business and your customers. Being PCI DSS compliant also makes you a step closer to other industry standards such as SOC 2 or the ISO 27001O.
While a recent report shows that only 27.9 percent of merchants achieved full compliance, the benefits of adhering to the standards of the PCI compliance framework clearly outweigh the consequences of non-compliance. If you serve other businesses, being PCI DSS compliant promotes trustworthiness and respect in the industry, enabling you to close deals with enterprise businesses.
On the flipside, non-compliance puts you at risk of data breaches, damaged reputation, legal action, revenue loss, and monthly penalties that may range between $5,000 and $100,000.
There are about 300 hundred security controls in PCI in total, making it important to understand which ones are applicable to your business. In line with the goals to maintain a secure system, protect cardholders, and manage vulnerabilities, the PCI Security Standards Council – which consists of Visa, Mastercard, JCB, Discover, and American Express – outlined 12 primary requirements merchants must meet to be compliant:
If you store or process cardholder data, you must meet PCI DSS requirements and maintain them to stay compliant.
If you need to simplify the process for achieving or maintaining PCI compliance and submitting the proper SAQ annually, Securicy can save your team time. With the Securicy information security management platform (and support from our team when you need a real person), we can help you cut through the dense requirements for PCI compliance.
Learn more about our products and services that can help you become PCI DSS compliant by booking a demo.