Differences in SAQ

What are the 3D Secure 2.0 Exemptions?

Depending on what your business is and how it handles credit cards, will then dictate the type of SAQ ( Self Assessment Questionnaire) your organization must complete. Most companies underestimate the guidelines for PCI compliance, and will elect to collect and store data on their own thinking…how hard can it really be? Well, the reality is that if an organization collects, handles, and stores their own credit card data they will need to complete an SAQ type D, which is a full scope SAQ with roughly 347 questions that need to be completed. Even if only one of these questions is missed it will result in failure to be PCI compliant, which will lead to substantial fines from your acquirer.

So what are the differences between SAQs and which one is used for each organization? Well if you’re a company that collects, handles, and stores credit card data on your servers, the SAQ required type D. SAQ type D as explained, is the highest SAQ possible and depending on if you’re a service provider or a merchant will determine what form is used. So you might say to yourself that’s fine, I don’t store card data, my payment gateway does and then gives me a clean token back for me to use. That is a decent solution, however, the organization is still responsible for collecting the credit card data and if a breach occurs, then the data being collected can still be compromised. For this type of organization, the SAQ required is SAQ type C, which still leaves the company with 139 questions to answer. As everyone can guess companies don’t always have the time to spend on becoming and maintaining PCI compliance, and although payment gateway tokenization is one solution it is not the most effective solution. Using a PCI host that is PCI compliant is the easiest solution for PCI compliance because this type of organization can collect and store all credit card data if the company is a call center or e-commerce. This allows a company to fill out the SAQ type A, which is only 14 questions and much easier to maintain.

So what about companies that have part of their business online but also have retail locations? Well up until a few years go the company had to complete the SAQ based on the highest vulnerabilities. Now, however, as long as the online servers are completely separate and can not be breached by the retail store’s servers, it is possible to use a PCI host and complete an SAQ type A. That means for your online business the credit cards will be sent to a PCI host server and a clean token will be given to your servers to store freely. This then makes PCI compliance a little easier because your online business can use SAQ type A and if your retail business uses a payment gateway for tokenization then they can be SAQ type C.

This makes PCI easier for all companies and although nothing can be 100% guaranteed using a third party that only focuses on PCI compliance the chances of a breach are much slimmer because the organization’s main focus is PCI compliance. So as long as your PCI host stays and 100% PCI compliance level 1 your organization will be safe in the hands of a PCI host.