Learn what’s required to fill out SAQ A
To become PCI compliant, your bank might allow you to fill out a Self-Assessment Questionnaire, but there are different types of questionnaires for different types of businesses. These differences could include what type of card data your business receives, how you handle payments, and how you store and transmit card data.
This post will focus on SAQ A and what businesses need to do to complete it.
See also: 5 Simple Ways to Get PCI Compliant
Who needs to use SAQ A?
SAQ A is for merchants who have outsourced their card data handling to validated third parties. This category may include e-commerce or mail/telephone-order merchants.
The PCI DSS outlines a list of requirements that apply to SAQ A merchants:
- Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions
- All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers
- Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions
- Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant
- Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.
What requirements does SAQ A address?
SAQ A addresses the following requirements:
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Requirement 12: Maintain a policy that addresses information security for all personnel
SAQ A is one of the shorter SAQs, mainly because applicable businesses don’t actively deal with any card data and have outsourced all cardholder data functions to third parties. However, because they have access to reports and receipts containing cardholder data, they still need to make sure they’re secure and following applicable PCI compliant policies and procedures.
See also: SAQ A-EP: The What and the How
Example questions from SAQ A
Here are a few questions that you’ll need to answer:
- Are vendor-supplied defaults always changed?
- Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- Are all media physically secured?
- Is strict control maintained over the internal or external distribution of media?
- Is strict control maintained over the storage and accessibility of media?
- Is all media destroyed when no longer needed for business or legal reasons?
- Are policies and procedures maintained and implemented to manage service providers?
- Is there a written agreement between you and the service provider that acknowledges the provider’s responsibility for card data security?
- Is there an established process for engaging service providers?
- Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
See also: Free SecurityMetrics PCI Guide
Tips to fill out SAQ A
Update security policies with service providers: Even if you don’t handle card data directly, it’s important your service providers are PCI compliant. Make sure your agreements with them regarding security are updated regularly.
- Train your employees: Policies are no good if your employees aren’t following them. Train employees at least quarterly, if not monthly.
- Work with a QSA/security expert: Having an expert help you with PCI compliance can save you a lot of time and energy.
Need help with getting PCI compliant? Let’s see how you’re doing.
.svg)
