See what’s required for PCI SAQ C
Self-Assessment Questionnaire (SAQ) C addresses requirements for merchants whose payment application systems are connected to the Internet.
SAQC merchants process cardholder data via point-of-sale (POS) systems or other payment application systems connected to the Internet. They don’t store cardholder data on any computer system, and they can be either card-present or card-not-present merchants.
Who qualifies for PCI SAQ C?
You should fill out this PCI SAQ if the following qualifiers apply to you:
- Your business has a payment application system and an Internet connection on the same device and/or same local area network (LAN)
- The payment application system isn’t connected to any other systems within your environment
- The POS environment isn’t connected to other locations, and any LAN is for a single location only
- Any cardholder data your business retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
- Your company does not store cardholder data in electronic format
Note: SAQ C doesn’t apply to e-commerce merchants.
See also: SecurityMetrics PCI Guide
What’s the difference between SAQ C and SAQ C-VT?
PCI SAQ C-VT applies to merchants who process payments via virtual payment terminals, while SAQ C deals with isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.
See also: SAQ C-VT: The Basics You Should Know
What requirements does SAQ C-VT cover?
SAQ C touches on all the requirements, but some requirements call for more attention than others.
What questions will I answer in the SAQ C?
PCI SAQ C has a total of 160 questions. Here are some sample questions you may be required to answer.
- Is inbound and outbound traffic restricted to what’s necessary for the cardholder data environment?
- Are vendor-supplied default credentials always changed before installing a system on the network?
- Is sensitive authentication data deleted or made unrecoverable after the authorization process?
- Are only trusted keys and/or certificates accepted?
- Is anti-virus software deployed on all systems commonly affected by malicious software?
- Are critical security patches installed within one month of release?
- Are individuals assigned access based on their job classification and function?
- Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- Are user passwords/passphrases changed at least once every 90 days?
- Is all media destroyed when it is no longer needed for business or legal reasons?
- Are audit logs retained for at least one year?
- Are quarterly internal vulnerability scans performed?
- Is a list of service providers maintained, including a description of the service(s) provided?
Additional tips for filling out your SAQ C
Here are a few other things to consider when filling out SAQ C:
- Document everything: Make sure you’re documenting all policies and procedures. It helps you keep everything organized and protects you from liability
- Segment your networks: Keeping your card data environment separate from the rest of your business can help reduce your PCI scope
- Talk to a Qualified Security Assessor: If you’re not familiar with PCI, it’s a good idea to talk to someone who is. PCI experts can help you find areas where you’re lacking in security
Need help getting PCI compliant? Talk to us!
.svg)
