Society of Payment Security Professionals - Payment Security Blog

Self-Assessment Questionnaire (SAQ) v1.1 Released

The PCI SSC released version 1.1 of the Self-Assessment Questionnaire and it shows the migration from the current eight page document to one that is more in-line with the Security Audit Procedures. In addition the SSC released several companion documents including:

• How it fits together - Visualization of validation
  
• Instructions for completing the SAQ - How these documents apply to you based on your acceptance channels
  
• Navigating the PCI DSS document - Includes a “guidance” analysis associated with each of the 226 questions. This may also be useful when performing the PCI DSS audit for larger merchants.
  
• Frequently Asked Questions

This brings all PCI DSS validation documents in-line with a consistent 1.1 version. Though, now there are 4 different SAQ documents that will apply to different merchants depending on their operational environment. The documents: A, B, C, and D will apply in the following manner:

• SAQ Validation Type 1 / SAQ A: Card-not-present, All Cardholder Data Functions Outsourced
• SAQ Validation Type 2 / SAQ B: Imprint Merchant Only, No Electronic Cardholder Data Storage
• SAQ Validation Type 3 / SAQ B: Standalone, Dial-out Terminal Merchant, no Electronic Cardholder Data Storage
• SAQ Validation Type 4 / SAQ C: Merchants with Payment Application Systems Connected to the Internet
• SAQ Validation Type 5 / SAQ D: All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ

Seem a bit confusing? That’s why there exists the instructions and guidelines document. There is one interesting thing you will find in here - page 9 states that compensating controls only apply to SAQ D.

The different SAQ documents vary in length with SAQ A having only 11 questions, SAQ B having 21 questions, SAQ C having 38 questions, all the way up to SAQ 4 with 226 questions.

One of the questions in the FAQ asks: What is the sunset date for the Self-Assessment Questionnaire version 1.0?

The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) version 1.1 was released by the Council on February 6, 2008. Any SAQ submissions after April 30, 2008 must be completed using SAQ version 1.1.Please note an entity must be compliant with the PCI Data Security Standard in its entirety. The questions in the SAQ version 1.0 do not cover all of the PCI DSS requirements. As such, an organization that is only compliant with the questions in SAQ version 1.0 in not considered to be compliant with PCI DSS based on the SAQ alone. The organization must verify that it adheres to all of the requirements stipulated in the PCI DSS.

There is a lot of new information so read each of the documents carefully and make sure you understand things before proceeding. As always, you can post and ask questions in our online forum.