If your business accepts credit cards, you’ve probably heard the term PCI or PCI DSS and whoever does the credit card processing for you (your merchant provider) probably has you fill out a form regularly to verify your compliance with PCI DSS. So, what is PCI DSS Compliance? What is the SAQ (Self Assessment Questionnaire) and what are you agreeing to by filling out the SAQ? In this article, I’ll try to answer each of these questions as well as help you determine what your specific PCI DSS requirements are.
What is PCI DSS Compliance – I’ve posted a few links below to give more detail but, in short, PCI DSS is the Payment Card Industry Data Security Standard. It’s a set of standards for protecting [credit] cardholder data that’s been developed and promoted by the PCI Security Standards Council. It is NOT a / the law, but many states have incorporated the PCI DSS into state laws.
What is the SAQ – In order to be a merchant or service provider (to accept credit cards), you entered into a legal agreement with your merchant provider and, in that agreement, agreed to abide by terms set forth by the PCI Security Counsel.The SAQ, or Self Assessment Questionnaire, is similar to an open-book test that no one grades unless there’s a problem. As long as you fill it out, you get to tell everyone that you passed and, unless the teacher checks it (e.g., there’s a problem), no one finds out otherwise. There are eight (8) versions, each requiring that the merchant or service provider meet specific requirements, depending on how they handle (and what exposure they have to) cardholder data.
What are you agreeing to by filling out the SAQ There are twelve (12) requirement categories (noted below) under the current version of PCI DSS (v3.2.1), each with a number of specific requirements in that category. Depending on which SAQ fits your business, you may have obligations under as few as three of the categories (P2PE requires only 3, 9 and 12) or you may have obligations under all twelve (A-EP, C-VT and D each require all 12). By filling out the SAQ, you are confirming that you meet the specific requirements for that SAQ (section 2g on all but SAQ D) per your agreement with your merchant provider.
For a free, no-obligation analysis of your PCI DSS Requirements and a copy of the Self Assessment Questionnaire required for your business, simply complete this short questionnaire.