PCI Compliance Step 2: which Self Assessment Questionnaire applies to you

This is the second of a series of articles that we will publish in an attempt to make things a bit more clear when it comes to PCI Compliance. In the first article, we talked about how to find out what kind of merchant you are (the “merchant level“).

Your merchant level is important because there are different requirements in place depending on which level your business falls into. One requirement that applies to all merchants is filling out a “Self Assessment Questionnaire” (or SAQ) prepared by the PCI Security Standards Council. How often you need to fill out the Questionnaire changes depending on the merchant level (see the links mentioned in the first article).

The problem is… there are 4 different SAQs. Which one’s for you? The different questionnaires are labeled with letters A to D. SAQ A is short and sweet, but only applies in certain circumstances. B & C don’t apply to online stores. D is the one that most commonly applies.

SAQ A only applies in rather rare scenarios in which the e-commerce application used on your Internet storefront is not considered a payment application. That only happens when it is not transmitting and/or storing any credit card information at all. This can only occur when you are using (and only using) a completely outsourced checkout process such as PayPal Express Checkout.

Applying all of the above to your ProductCart-powered store…

  • If your ProductCart-powered store does NOT transmit and/or store any credit card information, then you can use SAQ A. This applies when:
    • There is no payment option that involves credit card information
    • You are using only one or more of the following payment options, which share the fact that no payment information is entered on your Web store (but rather on a page hosted on the payment system’s Web site), and no payment information is ever stored in your database:
      • 2Checkout
      • Google Checkout
      • PayPal Express Checkout
      • PayPal Standard
      • WorldPay
  • In all other cases you must use SAQ D.

We’ll start talking about the Self Assessment Questionnaire itself in the next article on PCI Compliance.

Leave a Reply