Arrow Blog : The FAQs on SAQs

March 16, 2012 1:38 PM

The FAQs on SAQs

A few months ago, I wrote about the basics of PCI Compliance. To jog your memory, everyone hates this. To jog your memory more accurately, PCI Compliance is a mandatory security standard put in place by the card companies, and requires that you provide information about the way you process transactions. To become compliant, you will have to complete a Self Assessment Questionnaire (SAQ) online where you will be asked a series of yes or no questions about how you process credit card transactions.

The SAQ is a validation tool for merchants and service providers to insure your business is using the correct security practices. The process begins with a series of 5 questions. Depending on how you answer the initial 5 questions, the correct SAQ should be automatically prompted. It helps if you think of it like a choose-your-own-adventure book. Your next adventure? More questions!

Which SAQ Do I Need?
There are multiple versions of the SAQs to meet multiple business scenarios. Some merchants are lucky—the required questionnaire is short and sweet. For others, not so much. If you process transactions over an Ethernet connection, your SAQ will be longer. To find out which SAQ is for you, check the list below:

SAQ A: This is for e-commerce or mail/telephone-order merchants where the card is not present at the time of transaction. No brick and mortar stores should be using SAQ A.

SAQ B: Merchants who use an imprinter (often lovingly referred to as a knuckle-buster) during transactions, or utilize a stand-alone terminal not connected to the internet. Anyone completing SAQ B must not store cardholder data electronically.

SAQ C: This is for merchants with point-of-sale systems that only connect to the internet for authorization, and do not electronically store cardholder data. The merchant must not be connected to other locations or other systems within the organization’s environments (i.e. a corporate office).

SAQ D: All other merchants who do not fit into the above criteria. The first 3 SAQs are designed for very specific processing scenarios. SAQ D is a catch-all for the others.

It is essential that you answer the first 5 questions correctly so you are not prompted to complete the wrong questionnaire. Certain SAQ’s require a scan of your system, but the process is painless and only takes a few minutes to complete. If you are not sure how to answer a question—the wording can get unnecessarily confusing—please check with your merchant account provider or acquiring bank before proceeding.

At Arrow Payments, we are committed to making PCI Compliance as painless as possible. We get all merchants compliant immediately as part of the application process, and assist them in choosing the appropriate questionnaire. Becoming PCI Compliant is necessary, but also confusing, and that’s why we’re always here to help.

Arrow Payments provides a Simply Better solution for processing payments online. Have a question? Tweet Antonia at @ArrowPayments

Home Archive RSS