See what’s required for this SAQ. 

By: Jen Stone
Security Analyst
Self-Assessment Questionnaire (SAQ) C addresses requirements for merchants whose payment application systems are connected to the Internet.

SAQC merchants process cardholder data via point-of-sale (POS) systems or other payment application systems connected to the Internet. They don’t store cardholder data on any computer system, and they can be either card-present or card-not-present merchants.
Here’s a quick look into what you should know about SAQ C.

Who qualifies for SAQ C?

You should fill out this SAQ if the following qualifiers apply to you:
  • Your business has a payment application system and an Internet connection on the same device and/or same local area network (LAN)
  • The payment application system isn’t connected to any other systems within your environment
  • The POS environment isn’t connected to other locations, and any LAN is for a single location only
  • Any cardholder data your business retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
  • Your company does not store cardholder data in electronic format
Note: SAQ C doesn’t apply to e-commerce merchants.

What’s the difference between SAQ C and SAQ C-VT?

SAQ C-VT applies to merchants who process payments via virtual payment terminals, while SAQ C deals with isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.

SEE ALSO: SAQ C-VT: The Basics You Should Know

What requirements does this SAQ cover?

SAQ C touches on all the requirements, but some requirements call for more attention than others.
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

What questions will I answer?

SAQ C has a total of 160 questions. Here are some sample questions you may be required to answer.
  • Is inbound and outbound traffic restricted to what’s necessary for the cardholder data environment?
  • Are vendor-supplied default credentials always changed before installing a system on the network?
  • Is sensitive authentication data deleted or made unrecoverable after the authorization process?
  • Are only trusted keys and/or certificates accepted?
  • Is anti-virus software deployed on all systems commonly affected by malicious software?
  • Are critical security patches installed within one month of release?
  • Are individuals assigned access based on their job classification and function?
  • Are all users assigned a unique ID before allowing them to access system components or cardholder data?
  • Are user passwords/passphrases changed at least once every 90 days?
  • Is all media destroyed when it is no longer needed for business or legal reasons?
  • Are audit logs retained for at least one year?
  • Are quarterly internal vulnerability scans performed?
  • Is a list of service providers maintained, including a description of the service(s) provided?

Additional tips

Here are a few other things to consider when filling out SAQ C:
  • Document everything: Make sure you’re documenting all policies and procedures. It helps you keep everything organized and protects you from liability
  • Segment your networks: Keeping your card data environment separate from the rest of your business can help reduce your PCI scope
  • Talk to a Qualified Security Assessor: If you’re not familiar with PCI, it’s a good idea to talk to someone who is. PCI experts can help you find areas where you’re lacking in security
Need help getting PCI compliant? Talk to us!

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.