What is a PCI DSS Self-Assessment Questionnaire?

Posted on October 1, 2021 - by Laird Wilton - in PCI DSS

What is a PCI self-assessment questionnaire

As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority.

The Payment Card Industry Data Security Standards (PCI DSS) is essential for protecting consumers against identity theft and credit card fraud. The PCI compliance framework is a set of standards implemented by the consortium of major credit card companies to ensure all merchants process, store, and transmit data securely. It also requires you to submit annual assessments or reports attesting to your security controls.

By 2024, businesses and consumers are expected to spend $10.718 trillion in purchases for goods and services using their debit, prepaid, and credit cards. While those are eye-popping numbers, you must also keep in mind gross fraud losses that amounted to $28.65 billion in 2019. It is essential that you protect your customers and yourself by being PCI DSS compliant.

Completing the PCI DSS Self-Assessment Questionnaire

Completing a PCI Self-Assessment Questionnaire (often called an SAQ) is part of your annual compliance process. The PCI SAQ is a validation tool that consists of questions related to the PCI DSS requirements. 

When filling out your SAQ, you’ll need to answer a number of yes-or-no questions about each PCI DSS requirement. If you answer “no” to a question, you may need to provide details about why it is not applicable or the status of remediation efforts in progress.

It also comes with an attestation that includes your declaration of eligibility. Every business that is trying to show PCI DSS compliance must complete the appropriate Self-Assessment Questionnaire (unless your organization is at a higher compliance level which requires a Report on Compliance by a qualified security assessor in an on-site audit). As a reminder, merchant level categories are broken downs as follows:

  • Level 1 is for merchants with six million transactions per year. 
  • Level 2 are companies that do one to six million transactions annually.
  • Level 3 is for merchants that do between 20,000 and one million.
  • Level 4 is for merchants that do fewer than 20,000 annual transactions.

While businesses with lower transaction volumes and lower compliance level requirements must complete the appropriate SAQ, the higher-level merchants will have more required of them in order to become PCI compliant and submit their Report on Compliance.

Below are the steps you need to take to complete the PCI SAQ: 

Which PCI DSS Self-Assessment Questionnaire Should You Use?

There are nine different types of PCI DSS Self-Assessment Questionnaire. The SAQ you need to use depends on how you process credit cards. Below is a quick summary from the PCI Security Council:

PCI Self-assessment questionnaire types
Source: https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2_1.pdf?agreement=true&time=1628871117903  (Page 8)

The SAQ instructions and guidelines from PCI include more details and a flowchart to help you determine what SAQ best applies to your environment. You can also contact your payment card processor or bank to check which SAQ would apply to you.

PCI self-assessment questionnaire environment
Source: https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2_1.pdf?agreement=true&time=1628871117903 (Page 18)

Download and Fill Out the SAQ

The next step is to download and fill out the SAQ. Your IT team, CFO, or other equivalents need to answer the questions as accurately as possible to provide a clear picture of the security measures you are taking to protect cardholder data. The questionnaires vary in length depending on the kind of operation you run.

You also have to issue an attestation that comes with the SAQ. This form states that you have completed the SAQ.

Penetration Test and Vulnerability Scans

Depending on the type of SAQ you complete, your business might be required to do annual or quarterly pen tests or vulnerability tests. These put your systems in a sort of stress test to see if there are weaknesses that cybercriminals can exploit.

Benefits of PCI DSS Compliance

When you put security first, you establish multiple layers of defenses that will benefit your business and your customers. Being PCI DSS compliant also makes you a step closer to other industry standards such as SOC 2 or the ISO 27001O.

While a recent report shows that only 27.9 percent of merchants achieved full compliance, the benefits of adhering to the standards of the PCI compliance framework clearly outweigh the consequences of non-compliance. If you serve other businesses, being PCI DSS compliant promotes trustworthiness and respect in the industry, enabling you to close deals with enterprise businesses.

On the flipside, non-compliance puts you at risk of data breaches, damaged reputation, legal action, revenue loss, and monthly penalties that may range between $5,000 and $100,000.

PCI DSS Requirements

There are about 300 hundred security controls in PCI in total, making it important to understand which ones are applicable to your business. In line with the goals to maintain a secure system, protect cardholders, and manage vulnerabilities, the PCI Security Standards Council – which consists of Visa, Mastercard, JCB, Discover, and American Express – outlined 12 primary requirements merchants must meet to be compliant:

  • Requirement 1: Protect cardholder data by installing and maintaining a firewall.
  • Requirement 2: Change default passwords and other security settings upon receipt of your payment infrastructure from your vendor.
  • Requirement 3: Protect cardholder data by making it unreadable using encryption and other technologies.
  • Requirement 4: Ensure that the cardholder data is encrypted during transmission of data
  • Requirement 5: Regularly update antivirus and antimalware software to protect all systems.
  • Requirement 6: Ensure software updates are promptly installed and all security vulnerabilities are patched.
  • Requirement 7: Access to cardholder data should be on a need-to-know basis.
  • Requirement 8: Establish appropriate authorization levels among personnel for better accountability.
  • Requirement 9: Limit physical access to cardholder data.
  • Requirement 10: Closely monitor access to cardholder data and network resources.
  • Requirement 11: Regularly test security systems and processes.
  • Requirement 12: Implement a policy that emphasizes information security to all personnel.

If you store or process cardholder data, you must meet PCI DSS requirements and maintain them to stay compliant.  

Let Our Team of Experts at Securicy Help You Get PCI Compliant

If you need to simplify the process for achieving or maintaining PCI compliance and submitting the proper SAQ annually, Securicy can save your team time. With the Securicy information security management platform (and support from our team when you need a real person), we can help you cut through the dense requirements for PCI compliance.

Learn more about our products and services that can help you become PCI DSS compliant by booking a demo.

About the author

Laird Wilton is a tech entrepreneur, Techstars alumni, board member, and the COO and Co-Founder of Securicy. Securicy’s SaaS offering guides businesses through creating, implementing, and managing their information security and privacy compliance program.

Laird lives in Cape Breton, Nova Scotia with his wife and young family. When not working, he spends his time traveling with his family, coaching minor football, playing hockey and volunteering at his community’s recreation center.