Organizations of all types—whether multinational corporations, mid-sized firms or small merchants—pursue PCI DSS compliance for a number of varied reasons. These include meeting stringent regulatory requirements, establishing robust security postures and securing legal protection as they process, store or transmit credit card data.
Understanding the specific documentation required to validate your compliance is the first step toward reducing enterprise risk. The landscape of PCI DSS documentation primarily revolves around three core components: the Self-Assessment Questionnaire (SAQ), the Report on Compliance (RoC) and the Attestation of Compliance (AoC). Grasping what an Attestation of Compliance means, understanding the SAQ applicability to your specific transaction environment and knowing when a Report on Compliance is mandatory will empower you to make informed, strategic decisions.
What is a Self-Assessment Questionnaire (SAQ)?
A Self-Assessment Questionnaire (SAQ) is a tool used by an organization that handles credit card data in any capacity to ensure it meets the necessary security requirements set forth by the PCI Security Standards Council (PCI SSC). It’s typically performed by the business itself or outsourced to a Qualified Security Assessor (QSA) company like Schneider Downs. The SAQ serves as a “checklist” of requirements for how a business processes, stores and transmits credit card data and allows the organization to identify gaps in its security posture.
Note that different SAQs have different requirements based entirely on how your organization utilizes credit card data. Here’s a breakdown of the various PCI SAQs:
- SAQ A: This applies to merchants that outsource cardholder data handling to PCI-DSS compliant third parties entirely. These entities have no processing, transmission, or storage of cardholder data on their own systems.
- SAQ A-EP: This applies to e-commerce merchants that maintain control over their website but outsource payment processing. An SAQ is still applicable to these entities as they’re responsible for the transaction security of the website itself, which could be compromised to redirect payment information.
- SAQ B: This applies to merchants that only have imprint machines and/or stand-alone dial-out terminals that do not contain any electronic cardholder data storage.
- SAQ B-IP: This questionnaire is for merchants that do not store cardholder data on their systems but perform transaction processing via IP-connected POS terminals or terminals that are connected to the internet to transmit cardholder data.
- SAQ C: Designed for merchants that have payment application systems connected to the internet but do not store electronic cardholder data. This often applies to small businesses utilizing specific point-of-sale software.
- SAQ C-VT: This questionnaire covers merchants that do not store cardholder data and manually enter it and process it via virtual terminals or web-based applications provided by a PCI-compliant third-party service provider. This is frequently seen in mail/telephone order environments.
- SAQ P2PE: For merchants that use a PCI-validated Point-to-Point Encryption (P2PE) solution. This allows the merchant to securely encrypt cardholder data at the point of entry and decrypt it at the secure endpoint, drastically reducing the compliance scope. It’s helpful to determine if your P2PE devices are currently listed on the PCI SSC website.
- SAQ D (Merchants): This represents the most comprehensive assessment. It is for merchants that store, process, or transmit cardholder data and must be in compliance with the full suite of PCI DSS requirements.
- SAQ D (Service Providers): Designed specifically for service providers who store, process, or transmit cardholder data on behalf of clients, or who manage, support, or can affect the security of the cardholder environment of another entity. These services require the service provider to strictly adhere to the full PCI SAQ requirements.
What is a Report on Compliance (RoC)?
A Report on Compliance (RoC) is performed by a third-party QSA and provides an in-depth evaluation of the merchant’s adherence to the PCI DSS requirements.
Determining Your Merchant Level: Do You Need a RoC or a SAQ?
Whether your organization requires a RoC or an SAQ depends primarily on your merchant level, which is dictated by the number of credit card transactions you process annually across all channels.
By monitoring transaction volumes carefully, financial decision-makers can anticipate when their organization might cross the threshold from Level 2 to Level 1, requiring them to budget and plan for a transition from an SAQ to RoC.
|
Merchant Level |
# of Transactions Per Year |
SAQ or RoC? |
|
Level 1 |
> 6 million |
RoC |
|
Level 2 |
1 million to 6 million |
SAQ |
|
Level 3 |
20,000 to 1 million |
SAQ |
| Level 4 | Less than 20,000 |
SAQ |
What is an Attestation of Compliance (AoC)?
Once the assessment process is complete—whether via an SAQ or a third-party RoC—the organization must formally declare its status. An Attestation of Compliance (AoC) verifies that your organization is compliant with PCI DSS requirements.
An AoC is completed after the internal security expert or QSA has assessed the merchant for their compliance with PCI DSS standards. It is important to note that an AoC accompanies an SAQ or RoC regardless of whether the merchant performs the SAQ internally or if it is outsourced to third-party assessor.
Merchants typically provide the AoC to service providers, credit card companies, banks, or business partners. For a C-suite executive, signing the AoC represents a formal acknowledgment that the organization has implemented the necessary security measures to protect cardholder data, carrying significant legal, and operational weight.
Be sure to check back to our PCI DSS Solutions page as we make additional guidance and resources available.
How Can Schneider Downs Help?
As a certified Qualified Security Assessor (QSA) company, Schneider Downs is equipped to assist clients with their PCI compliance requirements by providing scalable, efficient solutions for meeting the rigorous demands of PCI compliance.
If you have any questions regarding PCI DSS v4.0 feel free to contact the Schneider Downs team at [email protected] or visit our PCI DSS solutions website.
Related Resources
About Schneider Downs IT Risk Advisory Services
Schneider Downs’ IT Risk Advisory professionals help organizations gain valuable insights into their processes and technologies. Our dedicated IT Risk Advisory professionals have experience working with a wide variety of industries and companies of all sizes. We will partner with you to provide comprehensive IT risk advisory reviews that will ensure your organization has effective and efficient technology controls that better align the technology function with your business and risk strategies.
To learn more, visit our dedicated IT Risk Advisory page.
