PCI Compliance – Completing an SAQ D – Service Provider

This is the final installment in our series reviewing each of the Self-Assessment Questionnaires (SAQs) available for organizations required to comply with the PCI DSS. This final blog is going to cover another sub-type of the SAQ D, the SAQ D – Service Provider. This SAQ is unique in that, if you’re a service provider, you have to use this. There are no additional options or SAQs with fewer requirements that you can fill out. So with that laid out, let’s look at this SAQ in more detail.

What Organizations Can Use SAQ D – Service Provider

Well that’s a pretty easy question to answer, only Service Providers. But there are few important points here. First, a company can be both a merchant and a service provider. So for some payment channels, they may be required to fill out one of the other merchant SAQs we’ve discussed, but for all of their service provider activity, they’d still need to complete an SAQ D – Service Provider. For example, let’s say there is a Managed Service Provider who offers outsourced IT functions to merchant organizations (making them a service provider) but that same organization also has an e-commerce website where they directly sell computers or security appliances (a function of a merchant). In this scenario, if the organization is defined by a payment brand as SAQ-eligible, they would need to complete at least 2 SAQs, one of which would be an SAQ D – Service Provider.

Another important point to cover here is what actually makes an organization a service provider? PCI defines a service provider as an organization that is directly involved in the transmission, processing, or storage of cardholder data on behalf of another entity. This umbrella also encompasses any business who provides services that control or could impact the security of cardholder data, such as a vendor that manages your firewalls. Internet Service Providers (ISPs) that only provide an organizations pipe for the Internet, however, are not considered service providers for the purposes of PCI compliance.

Approach To Complete This SAQ

A service provider completing an SAQ D – Service Provider will notice that there are a lot of requirements. There are even more requirements than SAQ D – Merchant, as some individual requirements in the PCI DSS only apply to Service Providers. But, depending on your business model, there may be some reprieve. Some Service Providers can mark a number of sections as “Not Applicable” depending on what services they provide or how they help merchant organizations. For example, if you’re just doing firewall management and are not doing any custom application development, you may be able to N/A almost all of Requirement 6. Of course when doing this, you’ll want to carefully read the requirements and potentially consult an expert to make sure you are really taking the right path and adhering to the spirit of all requirements. This can be a complicated subject where not even all Qualified Security Assessors (QSAs) agree, so you’ll want to do some due diligence here. If you want to talk more about your specific situation, we’re always happy to help so feel free to reach out.