While doing my research into the PCI standards I have come across a term quite often; SAQ. The acronym stands for Self Assessment Questionnaire. The PCI standards Self Assessment Questionnaire is a tool used to assist merchants and service providers in self-evaluating their PCI compliance.
There are five different versions of the PCI standards SAQ in order to meet various scenarios. The version that your organization will need to complete depends on how your company handles credit card data. For some businesses, the appropriate questionnaire is short and simple, while for others it is long and technical. But each questionnaire is divided into six sections that focus on a specific are of security. These are:
- Maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain and information security policy.
While completing the SAQ, merchants have to pass each question in order to be considered compliant with the PCI standards. Failing any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be remedied and the questionnaire retaken.
The SAQ may seem somewhat complicated, but there are many businesses and websites out there that can help you complete it. Also, depending on your merchant level, the SAQ may not be enough. You may need to have an onsite audit completed to certify your PCI compliance. The best thing to do if you are unsure is to check with your acquirer.