This reference guide describes Self-Assessment Questionnaire (SAQ) Types used in the PCI DSS compliance monitoring process.
SAQ P2PE
Self-Assessment Questionnaire Point-to-Point Encryption (SAQ P2PE) is a specific type of self-assessment questionnaire designed for merchants and service providers who use Point-to-Point Encryption (P2PE) solutions to secure credit card data during transactions. At UCSF we have implemented P2PE wherever possible, primarily through our partnership with Bluefin and the use of their encrypted terminals.
Here's an explanation of the key components and details of PCI SAQ P2PE:
Point-to-Point Encryption (P2PE)
P2PE is a technology that encrypts credit card data at the point of interaction (e.g., at a payment terminal) and keeps it encrypted until it reaches the payment processor's secure environment. This reduces the risk of cardholder data exposure during transactions.
SAQ P2PE Eligibility
To be eligible to use SAQ P2PE, a merchant or service provider must have implemented a validated P2PE solution, and their P2PE solution must cover all payment card data (i.e., cardholder data must be encrypted from the point of capture through to the point of decryption). Additionally, they should not store any sensitive payment data electronically after authorization.
Compliance Requirements
SAQ P2PE is shorter and less comprehensive than other SAQs because P2PE solutions significantly reduce the scope of PCI DSS requirements for the organization. Merchants and service providers using SAQ P2PE only need to answer a limited set of questions that are directly related to the security of their P2PE implementation.
Validation
Organizations using SAQ P2PE must work with a Qualified Security Assessor (QSA) to validate their compliance. The QSA will review the completed SAQ and the organization's P2PE solution to ensure that all security requirements are met.
Ongoing Compliance
Organizations using P2PE must maintain their P2PE solution in accordance with the vendor's instructions and continue to comply with the SAQ P2PE requirements. Regular security assessments and audits may be necessary to ensure ongoing compliance.
In summary, PCI SAQ P2PE is a self-assessment questionnaire designed for organizations that have implemented Point-to-Point Encryption solutions to secure credit card data. It is a streamlined version of the PCI DSS SAQ that focuses on the specific security requirements associated with P2PE technology. Merchants and service providers that qualify for SAQ P2PE can use it to demonstrate their compliance with PCI DSS while benefiting from reduced security requirements due to the enhanced security provided by P2PE.
SAQ B
SAQ B is intended for businesses that process cardholder data via imprint machines or standalone dial-out terminals that are not connected to any network. In other words, it's for businesses that use older, standalone payment processing methods that don't involve electronic data transmission. SAQ B is a shorter and less comprehensive self-assessment questionnaire compared to some of the other SAQs, as it's tailored to the lower level of risk associated with these specific processing methods.
Here are some key points about PCI SAQ B:
Eligibility
SAQ B is typically applicable to merchants and organizations that primarily use standalone, non-networked point-of-sale (POS) devices to capture and process payment card data. This may include manual imprinters or dial-out terminals.
Limited Network Scope
Businesses using SAQ B should have a very limited or no connection to computer networks. The focus here is on keeping cardholder data isolated from electronic systems.
Security Requirements
SAQ B includes a subset of the security requirements outlined in the full PCI DSS. It covers essential security measures, such as physical security, access control, and secure storage of cardholder data.
Self-Assessment
As the name suggests, SAQ B is a self-assessment questionnaire. Businesses complete this questionnaire to evaluate their compliance with the specified PCI DSS requirements. They must answer the questions honestly and accurately.
Attestation
After completing SAQ B, the business must also submit an Attestation of Compliance (AOC) to affirm that they have completed the self-assessment and that they are in compliance with the applicable PCI DSS requirements.
Reporting
SAQ B is generally used for reporting compliance status to payment card brands and acquiring banks. It helps demonstrate that the business is taking adequate steps to protect cardholder data, even if they are using relatively low-tech payment processing methods.
It's important for businesses to choose the appropriate SAQ based on their payment processing methods and network environment. Failing to accurately assess their compliance and security measures can result in fines, penalties, and increased risk of data breaches.
As PCI DSS requirements and compliance guidelines may change over time, it's essential for businesses to consult the latest documentation and guidance provided by the PCI SSC or their acquiring bank to ensure they are using the correct SAQ and maintaining compliance with industry standards.
SAQ C
SAQ C is specifically intended for merchants and service providers that have a more complex cardholder data environment than those eligible for SAQ A or SAQ A-EP but don't meet the criteria for SAQ B, which is designed for merchants using imprint machines with no electronic cardholder data storage.
Here's an overview of SAQ C:
Eligibility
Organizations that can use SAQ C typically have a cardholder data environment (CDE) that includes electronic cardholder data storage but doesn't process cardholder data via their own systems. SAQ C is divided into several variations, including SAQ C-VT and SAQ C for Merchants.
Scope
SAQ C assesses the security controls and practices in place to protect cardholder data within the CDE. It includes various security requirements covering network security, access control, physical security, and more.
Questionnaire Contents
The SAQ C questionnaire includes a series of yes/no questions and requirements. Depending on the specific variation of SAQ C, it may include additional questions tailored to the organization's cardholder data environment.
Security Requirements
SAQ C typically addresses the following PCI DSS requirements, among others:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Requirement 5: Use and regularly update antivirus software.
- Requirement 6: Develop and maintain secure systems and applications.
- Requirement 7: Restrict access to cardholder data by business need to know.
- Requirement 8: Identify and authenticate access to system components.
- Requirement 9: Restrict physical access to cardholder data.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
Attestation of Compliance (AOC)
After completing the SAQ, organizations are required to fill out or obtain from their Third Party Service Provider (TSPS) a current (no older than 6 months) Attestation of Compliance (AOC) form, that includes the scope of the services which are being provided and which declares that they are in compliance with PCI DSS. This form must be signed by an authorized signatory and submitted to their acquiring bank or payment card brand as required.
Validation
Depending on the specific circumstances and the organization's relationship with their acquiring bank or payment card brand, they may be subject to periodic or ad-hoc validation of their compliance. This might involve on-site assessments or additional documentation.
It's essential for organizations to accurately determine their PCI DSS scope and select the appropriate SAQ. Choosing the wrong SAQ can result in non-compliance or exposure to security risks. Additionally, SAQ C compliance requires ongoing monitoring and maintenance to ensure that security controls remain effective. Organizations should stay up to date with the latest PCI DSS requirements and maintain compliance as the cardholder data environment evolves.