As a merchant today, I am sure you have heard some new terms like hacker, card holder data environment, breach, PCI, ASV and other words that you thought you would never encounter when you started in this business. Whether you have been in business for 20 years or just starting out, your vocabulary has been encumbered by an entirely new language. Today we will discuss about another term that should be incorporated into your everyday new “hip” vocabulary. Although only a short three letter acronym, this term is a major piece of the PCI compliance puzzle and directly tied to your ability to collect payments. SAQ, commonly pronounced “sack”, is a term that, as we evolve into the plastic payment era merchant’s should be familiar with for many reasons. SAQ stands for Self-Assessment Questionnaire, and if merchants do not fill out a SAQ the acquiring banks can levy fines, and possibly even take away the merchants ability to accept credit cards as a payment option leaving cash as the only viable form of payment.
The Self-Assessment Questionnaire is a series of questions to validate compliance as a merchant versus having an onsite assessment performed by a Qualified Security Assessor. Think of the SAQ as a way to self-validate your business as far as network security and the safe keeping of your customers’ credit card data is concerned. In today’s world as a merchant, you are overwhelmed with new technology to make your business more efficient, new POS (Point-of-Sale) systems to keep an eye on your bottom line, and more payment options for the consumer to speed up their experience. Having the ability to accept credit cards, debit cards, and gift cards has now upped the stakes in the game and that is where the SAQ comes in.
The SAQ is comprised of two different parts, the actual SAQ made up of 12 requirements with a series of questions, and an Attestation of Compliance (AoC), which is a document acknowledging that the merchant has filled out the correct SAQ for their environment. The SAQ along with the AoC must be completed annually by every merchant that processes, stores, or transmits credit card data. Not every merchant processes credit cards the same and that is why the SAQ has five different versions. Each version is tailored for the way in which the merchant utilizes credit cards in the payment acceptance channel. The five SAQ’s are: A, B, C, C-VT, and D.
In the next installment, I will delve into the SAQ’s individually, explain their differences and discuss selecting the appropriate SAQ that fits you and your business best.
Read the Entire SAQ 101 Blog Series:
SAQ 101: Introduction to the SAQ (currently viewing)