What You Need to Know About the 9 PCI Self-Assessments

Learn about the PCI self-assessment questionnaires you must complete to achieve or maintain PCI compliance, and how to fast-track PCI compliance with Skyflow.

PCI non-compliance fines can range from $5,000 to $100,000 a month. To maintain compliance — and avoid costly violations — the first step for most merchants is to complete a Self-Assessment Questionnaire (SAQ). 

Merchants use SAQs to assess their adherence to PCI DSS, a critical data security standard. All merchants should ideally complete a SAQ every year to identify (and resolve) potential security issues. These requirements are controlled and outlined by the PCI Security Standards Council (PCI SSC).

In this post, we’ll review the nine self-assessment questionnaires — and look at which PCI requirements your business should satisfy to support the payments you need. We’ll also look at how Skyflow can help you achieve compliance while giving you more control over payment orchestration.

What Are the 9 Self-Assessment Questionnaires (SAQs)?

There are nine self-assessment questionnaires that are applicable to a range of PCI transaction workflows. To determine which one you should complete, you need to consider a variety of criteria that range from how you process and protect cardholder data to the hardware you use to process your transactions. 

The easiest way for a merchant to know which SAQ they should fill out is to ask their acquiring bank — the bank or merchant processor actually processing their transactions. Acquiring banks are responsible for ensuring that you have filled out the right assessment questionnaires.

SAQ A: Card-Not-Present Transactions

SAQ A is the questionnaire a merchant uses when their business outsources payment transactions to a third-party payment vendor like Stripe by using an iFrame or SDK provided by that vendor. The merchant isn’t handling any credit card data on their own — Stripe is handling everything. SAQ A merchants process card-not-present transactions, whether using the internet, by phone, or even by mail order. Such merchants have fully outsourced their payments to a third party.

SAQ A is an easy self-assessment questionnaire with just 22 questions.

SAQ A-EP: Third-Party Ecommerce Transactions

Merchants that complete third-party ecommerce transactions through a payment provider, such as a large ecommerce site managing transactions through Stripe or PayPal, will fill out an SAQ A-EP questionnaire. Such merchants manage transactions through a third-party payment processor online, so they use a different questionnaire than SAQ A. SAQ-EP merchants still process card-not-present transactions because card details are collected online. 

SAQ A-EP is a difficult self-assessment questionnaire with 191 questions.

SAQ B: Card-Present and Card-Not-Present Brick-and-Mortar Transactions

SAQ B merchants process card-present and card-not-present transactions with standalone point-of-sale dial-up terminals that don’t store credit card details. In fact, SAQ B merchants aren’t allowed to store credit card details. An SAQ-B business could maintain vending machines that individually process dial-in credit card transactions — credit cards are present. The business could also perform transactions over the phone for individual merchandise items in their brick-and-mortar business.

SAQ B is a fairly easy self-assessment questionnaire with 41 questions.

SAQ B-IP: Transactions with Approved Terminals Over the Internet

A SAQ B-IP merchant will process card-present or card-not-present transactions using approved payment terminals (such as a physical card swiping system) that process transactions over the Internet. For example, a restaurant that processes meal tickets for their customers using a point-of-sale system, like Clover, would use the SAQB-IP questionnaire. The card swiping system is not connected to the merchant’s other systems, and all card transaction data is filtered through the approved terminals.

SAQ B-IP is a challenging self-assessment questionnaire with 82 questions.

SAQ C: Transactions Only Through Terminal

SAQ C merchants process transactions purely through terminals, such as a merchant that only processes transactions through vending machines. Such merchants are not considered ecommerce merchants even if they handle a high volume of transactions, as long as all of their PCI transactions are handled through a terminal dedicated to handling payments and they don’t store sensitive payment card details. 

SAQ C is a challenging self-assessment questionnaire with 160 questions.

SAQ C-VT: Transactions Through Online Virtual Terminals

SAQ C-VT merchants process transactions using web-based virtual terminals that require the merchant to enter card details rather than physical payment systems. So, unlike a SAQ C merchant, SAQ C-VT merchants might run their virtual terminal app on hardware that serves other business purposes. 

SAQ C-VT is a challenging self-assessment questionnaire with 79 questions.

SAQ P2PE: Transactions Using Only Hardware Terminals with End-to-End Encryption

A SAQ P2PE merchant processes transactions using card-swiping terminals that send data directly to a third-party processor, for example,  a Verifone or PAX terminal device. SAQ P2PE merchants only use terminals that are certified by PCI DSS to have validated point-to-point encryption. Therefore, the encryption standards have already been validated by PCI DSS to meet security standards. SAQ P2PE merchants process transactions with P2PE hardware solutions and don’t interact with or store sensitive payment card details. 

SAQ P2PE is an easy self-assessment questionnaire with 33 questions.

SAQ D Merchant and Service Provider: All Other Merchants

SAQ D is the most comprehensive questionnaire, and it applies to merchants who don’t meet the criteria for other SAQs, such as those who handle key PCI DSS scope requirements in their environment or who electronically store cardholder data. If a merchant has an atypical situation — they’re using multiple methods to capture information, for example — they might need to fill out a SAQ D. 

SAQ D is the most difficult self-assessment questionnaire, with 328 questions.

Which PCI DSS Requirements Should You Satisfy?

In brief? All of them.

There are 12 general PCI DSS requirements, and merchants are required to comply with all of them. SAQs are used to assess how a merchant is following these PCI DSS requirements, in terms of how they process transactions. 

For example, your company could start out by using a single hardware terminal and only need to fill out the SAQ P2PE. But as your company grows, you might integrate an ecommerce platform over the internet and need to fill out a SAQ C-VT. So, your business requirements will change over time.

The following is a list of the 12 PCI DSS requirements that merchants fulfill across the domains of physical and cybersecurity: 

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

You might be required to engage a qualified security assessor (QSA) or fill out an Attestation of Compliance (AOC) to maintain PCI DSS compliance, but this is separate from the PCI DSS self-assessment questionnaire. Your PCI compliance level depends not on your PCI questionnaire, but instead on your volume of transactions. 

You can learn more from the PCI DSS Quick Reference Guide, or you can read on to learn how Skyflow can help you to ease PCI compliance while giving you increased control over payment processing.

Fast-Track PCI Compliance and Avoid “PCI Lock-in” with Skyflow

When seeking PCI DSS compliance, many businesses start with their payment service provider (PSP). PSPs make it easy for merchants to maintain compliance, but if the PSP is handling their PCI data, merchants end up “locked in” with that provider. When your PCI compliance process is handled through a merchant provider (including hardware payment terminals), it comes at the cost of business agility.

Being “locked-in” with a single provider causes several issues for your business: 

• Vulnerability to Service Cancellation: If your account is canceled or compromised, you can no longer process payments – and you can’t quickly switch to another PSP
• Difficulty of Switching PSPs: If the service provider charges high fees or low authorization rates, you might be hesitant to switch to another PSP because you want to maintain compliance and can’t quickly switch back if the need arises
• Hindrance to Global Expansion: If you want to expand into new markets using payment service providers that offer better service and terms in those markets, you can’t easily do this if you’re reliant on a single PSP.

Skyflow helps you escape PCI lock-in for card-on-file transactions by putting you in control of your customer PCI data without expanding your scope of PCI compliance. With Skyflow’s PCI Level 1 certified solution, you can orchestrate payments between PSPs rather than relying on a single processor. Using multiple payment processors lets you maintain agility, negotiate better deals, and ease PCI compliance without sacrificing control over your PCI data.

And you can do it all without having to micromanage your implementation of the Payment Card Industry Data Security Standard.

Skyflow helps you maintain your PCI compliance by letting you: 

• Isolate Sensitive PCI Data. Because sensitive data is collected using Skyflow SDKs and isolated in a data privacy vault that’s separate from your other systems, your scope of PCI compliance is restricted to the vault
• Protect Sensitive PCI Data. Skyflow protects sensitive data, including PCI data, at rest, in transit, and while in use using several privacy-enhancing techniques, including tokenization and encryption
• Govern Data Access. Skyflow uses fine-grained access controls to restrict access to only those workflows that need sensitive PCI data

To learn how Skyflow lets you isolate, protect, and govern sensitive data, read our data privacy vault blog post.

Try Skyflow

Skyflow provides comprehensive PCI compliance solutions that free you from the need to bet your business on a single payment service provider. Instead, you can use our proven and scalable solution to ease compliance with PCI DSS.

Using a data privacy vault that removes all card data from your infrastructure and systems greatly reduces your compliance scope and accelerates your compliance timeline. And if you’re already compliant, you can use Skyflow without impacting your PCI transaction workflows.

With Skyflow Data Privacy Vault, you not only have a fast and easy way to reduce PCI scope and make it easier to achieve PCI compliance, you can also work with multiple payment processors to increase your payment authorization rates, avoid outages, and lower your transaction fees.

Skyflow also handles other types of sensitive data, so you can use it to ease compliance with data privacy laws like HIPAA, GDPR, and CPRA.