SAQ A: What to Know, and What to Do

Learn what’s required to fill out SAQ A.  

By: Jen Stone Security Analyst CISSP, QSA

To become PCI compliant, your bank might allow you to fill out a Self-Assessment Questionnaire, but there are different types of questionnaires for different types of businesses. These differences could include what type of card data your business receives, how you handle payments, and how you store and transmit card data.

This post will focus on SAQ A and what businesses need to do to complete it.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Who does SAQ A apply to?

SAQ A is for merchants who have outsourced their card data functions to validated third parties. This may include e-commerce or mail/telephone-order merchants.

The PCI DSS outlines a list of requirements that apply to SAQ A merchants:

• Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions
• All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers
• Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions
• Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.

What requirements does SAQ A address?

SAQ A addresses the following requirements:

• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Requirement 8: Identify and authenticate access to system components
• Requirement 9:  Restrict physical access to cardholder data 
• Requirement 12: Maintain a policy that addresses information security for all personnel

SAQ A is one of the shorter SAQs, mainly because applicable businesses don’t actively deal with any card data and have outsourced all cardholder data functions to third parties. However, because they have access to reports and receipts containing cardholder data, they still need to make sure they’re secure and following applicable PCI compliant policies and procedures.

SEE ALSO: SAQ A-EP: The What and the How

Example questions 

Here are a few questions that you’ll need to answer:

• Are vendor-supplied defaults always changed?
• Are all users assigned a unique ID before allowing them to access system components or cardholder data?
• Are all media physically secured?
• Is strict control maintained over the internal or external distribution of media? 
• Is strict control maintained over the storage and accessibility of media? 
• Is all media destroyed when no longer needed for business or legal reasons? 
• Are policies and procedures maintained and implemented to manage service providers? 
• Is there a written agreement between you and the service provider that acknowledges the provider’s responsibility for card data security? 
• Is there an established process for engaging service providers? 
• Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?  

Tips

Here are some tips to help you with SAQ A.

Tweet

• Update security policies with service providers: Even if you don’t handle card data directly, it’s important your service providers are PCI compliant. Make sure your agreements with them regarding security are updated regularly.
• Train your employees: Policies are no good if your employees aren’t following them. Train employees at least quarterly, if not monthly.
• Work with a QSA/security expert: Having an expert help you with PCI compliance can save you a lot of time and energy.

Need help with getting PCI compliant? Let’s see how you’re doing. 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.