Glossary

Self-assessment Questionnaire (SAQ)

A Self-Assessment Questionnaire certainly sounds self-explanatory but when used to refer to the PCI-DSS, it takes on a more nuanced meaning.

The PCI DSS is a worldwide data privacy standard that must be adopted for any company of any scale that accepts credit cards. It outlines common-sense protection measures that are aligned with industry best practices. 

Deploying such a large-scale global standard means that efficient measures of audit need to be in place to verify compliance. As well as their official full audit with a Qualified Security Assessor (QSA) involving a detailed Report on Compliance (RoC) for their largest scale users, the PCI also has a system in place to verify compliance for the “smaller-scale” operators: the Self-Assessment Questionnaire system. 

Self-assessment Questionnaire

What is the PCI Self Assessment Questionnaire?

The “SAQ” is a PCI DSS compliance validation tool for merchants and service providers who are not expected to conduct on-site assessments. For various business circumstances, different SAQ assessments are needed.

The compliance validation requirements are defined by the number of transactions, possible harm, and visibility introduced into the payment system.

Anyone looking to comply with the PCI DSS standard, can report their self-assessment results through an official Self-Assessment Questionnaire provided by the PCI. This reporting tool comes in 9 different versions to suit various factors that differ between entities.

Along with the SAQ comes certain compliance requirements, including scanning through an accredited scanning vendor (ASV), pentesting and/or an Attestation of Compliance- according to each SAQ. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

How do you decide which SAQ you need to fulfill?

In order to establish which SAQ, you must first establish which level you are.

The PCI measures its merchants by the number of transactions they do annually, their breach history, and their exposure- this determines their “Level”. 

Merchants on levels 2-4 qualify for a PCI compliance self-assessment questionnaire. After determining the level you operate at, you can see on the PCI website which SAQ you need to take. (Look out for the Centraleyes PCI Wizard coming soon.) 

The PCI website recommends that entities ensure they meet all the requirements for a particular SAQ before using the SAQ. Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s)

to identify the appropriate SAQ based on their eligibility

What do the SAQs measure?

Each SAQ is made up of questions that cover different combinations of the 12 PCI DSS requirements. Some of the SAQs will include questions that assess all 12 requirements, whereas some will assess fewer. It depends which requirements are relevant, according to the number of transactions and methods used by merchants.

Who checks the SAQ?

This is where the “Self” comes in. The attestation of completion signed by your board is your verification.

Steps to Completing the SAQ

  1. Determine your Merchant or Service Provider level.
  2. Determine the compliance requirements for your level.
  3. Determine which SAQ to use.
  4. Recommended: Use a compliance management platform with tools to prepare for compliance with the SAQs. Use pre-loaded SAQ questionnaires to thoroughly review all the questions and automated remediation steps to ensure you are compliant. Track your progress, assign tasks and close gaps. When your preparation is finished, download the final report to make your official SAQ completion smooth and quick.
  5. Download the official SAQ questionnaire and AoC from the PCI website 
  6. Conduct scans and testing if necessary.
  7. Stay compliant. Use a compliance management platform to continue to monitor compliance with PCI DSS and keep up the best practices you’ve worked hard to achieve!

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Related Content

Cyber Risk Remediation

Cyber Risk Remediation

What is Cyber Risk Remediation? Cyber risk remediation is a process of identifying, addressing, and minimizing…
ESG Frameworks

ESG Frameworks

What is ESG? ESG (environmental, social, and governance) is a term used to represent an organization’s…
FAIR Training

FAIR Training

What is the FAIR model? The FAIR model introduces a unique method of risk management. Training…
Skip to content