PCI Compliance – Completing an SAQ C

We come back to our series covering the different SAQs that an organization can complete to meet PCI DSS requirements. This decision is an important one, as your applicable SAQ will increase or decrease the number of requirements that you need to address (which equates to cost) as well as the scope of systems that those requirements apply to (also representing cost). Today we’ll hit SAQ C, and if you didn’t catch the smaller SAQs before this one, don’t worry we’ll be posting a wrap-up of all these when we’re done. We’ll cover which merchants can use this SAQ and what details need to be in place to ensure an organization stays within this category of SAQ.

What Organizations Can Use This SAQ

This SAQ is your last stop before you get to a full-blown SAQ D, which comes with a lot of requirements. If your organization has a payment application on its network that is used to process or transmit cardholder data, this SAQ will be your best case scenario. But the key factor in being able to use this SAQ is network segmentation. True network segmentation that is used to separate your cardholder data environment (CDE) from the rest of your internal network is required. But this can be difficult, as it may require sweeping architectural changes to your company’s network infrastructure, additional hardware, resource intensive network configuration changes, or all of the above.

Even though this may seem like a difficult proposition, it is absolutely worth it. Limiting the application of PCI requirements to only the segmented CDE will represent a huge cost savings and probably keep the general user population a little happier. Not to mention it’s a more manageable network security posture that ultimately helps better protect your organization. If you want to better understand how your organization could go from an SAQ D to an SAQ C or just talk through the costs/benefits of this endeavor, we’d be happy to take a look at your specific situation in more depth.

What Does it Take to Complete an SAQ C?

For your company to complete an SAQ C, you’ve got to confirm for the applicable payment channel that:

  • Your organization has a payment application system AND an Internet connection on the same network.
  • You’re using network segmentation to separate the payment application system from other systems in your environment.
  • The physical location of the POS environment is not connected to other locations and any LAN is for single location only.
  • Your company doesn’t store any electronic cardholder data. Any stored cardholder data must be paper only and never received electronically.