PCI Compliance – Completing an SAQ A

One of the most common compliance standards we deal with as an organization is the Payment Card Industry Data Security Standard (PCI DSS). Reading through this standard can be complex however, and trying to figure out how it applies to your organization can be a daunting task. For most organizations that have to complete a Self-Assessment Questionnaire (SAQ), the most difficult part of the process is often just trying to understand which SAQ you should even be completing! So we’ll start with the more simple SAQs (SAQ A in this case, you can read our previous explanation of SAQ B here) and try to help de-mystify the requirements for an organization to complete this level of self-assessment.

Why Should You Care?

Even though we covered this in the previous blog covering SAQ B, I think it’s important to leave this section for any reader who hasn’t checked out that post. So feel free to skip this if it seems familiar. Let’s go through a little bit about the different SAQs and why it’s so important to choose the right one. There are 9 different SAQs you could potentially complete as an organization. Some organizations complete multiple different SAQs, one per payment channel (this would be up to your acquiring bank). The difference between all these different levels are the number of requirements that you are responsible for complying with. That’s the primary reason you want to make sure you use the proper SAQ. This will make sure you are not unnecessarily complying with any requirements that should be N/A, not complying with overlying stringent requirements given the ways you process credit cards, and making sure you don’t have any unnecessary residual liability from not properly assessing your organization. Your SAQ selection and your scope have an immense impact on your level-of-effort associated with compliance.

What Does it Take to Complete an SAQ A?

For an SAQ A specifically, there are 6 requirements and your organization has to meet all of them:

  • Your organization only accepts card-not-present (e-commerce or mail-order/telephone-order) transactions.
  • All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers.
  • Your organizations does not electronically store, process, or transmit any cardholder data on-premise, but relies on third-party service providers to complete these activities for them.
  • Your organization confirms and attests that all third-parties participating in these PCI-related activities are doing so in a compliant manner.
  • Any cardholder data your organization does retain is on paper and you don’t receive these electronically.
  • Also, if you’re using e-commerce payment channels, all elements of the payment page must originate directly from the PCI-compliant third-party service provider.

So if you can answer “Yes” to each one of those bullets you are eligible. SAQ A is one of the self-assessment categories with the least number of requirements that your organization needs to comply with, if you fall into this category. This is a result of the strict criteria that you have to meet to fill an SAQ A out. You basically need to avoid ever touching credit cards in an electronic format and completely outsource all responsibility for the handling of credit card data to a third-party service provider. But even if you outsource everything, you’ve still got some minimal requirements that you’ve got to attest to, primarily revolving around your third-party management program where you’re tracking their continued compliance.

An SAQ A has a short set of requirements that are pretty easy to meet, giving you a pretty clear path to compliance compared to some of the other potential SAQs. If you think your organization meets all of the requirements noted above, confirm with your acquiring bank that they’ll accept an SAQ A from you. If you’ve got any questions or need some help completing the SAQ iteself, we’d be more than happy to talk through whatever you need.