After discussing a number of the other Self Assessment Questionnaires (SAQs) that merchant organizations may need to complete for PCI DSS compliance, we have finally reached the peak if you’re a merchant. This final SAQ for merchants (we’ll cover D for service providers soon) is the catch-all that applies to any organization that isn’t able to complete any of the other SAQs. We’ve talked a lot about scope control and the desire to reduce the number of requirements you need to comply with to reduce the organizational resources (time and money) required for compliance. If you’ve fallen into this category, I’m afraid the workload to maintain compliance is going to be significant. So let’s dive into the SAQ D for merchants and better understand it.
What Organizations Can Use SAQ D – Merchant
The question isn’t so much “what organizations can use this SAQ” as what organizations can’t, or don’t have to. If can qualify for any of the other SAQs, you want to be using one of those, as they are subsets of requirements from an SAQ D. This SAQ is by far the largest and consists of all merchant requirements laid out by the PCI Council. In our experience, it can be very hard to comply with all 329 requirements for over time as you’re trying to maintain regular business operations, as compared to half that number of requirements for the other SAQs.
But you may not have a choice based on your business model of course. If you’re an in-house developed e-commerce website accepting payments or you’re storing cardholder data electronically for recurring transactions, then this SAQ is right for you. The electronic storage of cardholder data, a lack of adequate network segmentation, or the use of POS systems without tokenization or P2PE are all good signs that you’ll need to complete this SAQ, although of course contact your acquiring bank or give us a call to talk through the specifics of your situation.