The self-assessment questionnaire (SAQ) is a form the merchant completes that qualifies them for PCI compliance. Determining which form to complete is the hardest part in this process, as there are numerous options based on how you accept cards.
Depending on if you use box terminals, a fully-integrated POS, an ERP system, or a virtual terminal, a different SAQ is required. The Evolve Payment team can help you determine which form is best for you. Otherwise, the PCI-DSS website has brief descriptions for each form, explaining applicability.
Completing the SAQ can also be difficult without guidance and is often a discouraging step for merchants. Some SAQ questions can be misleading and hard to understand, and some questions may lead you to a different SAQ. Thankfully, there are a multitude of third-party companies that can walk you through the security process and act as a resource (Trustwave, Sysnet, and SecurityMetrics, to name a few).
At Evolve Payment, we are well-versed in the PCI compliance process, and offers a more boutique approach to the big cybersecurity companies. Another option is for your processor to offer guidance, as most of them have a PCI compliance department.
3. Send the Questionnaire to Your Processor for Submission
After completing the SAQ, your processor will submit it for approval. This is a hands-off process with a quick turnaround. Once approved, your processor will send you a certificate and send your registration data to a PCI office. Once you’ve been registered, you’re officially compliant!
4. Follow Your Quarterly Scan Reports
Merchants that are PCI compliant will receive automatic quarterly scans that look at vulnerabilities in your system. Most processing setups will require scans, with one of the only exceptions being if you’re using a standalone terminal with a dial-up connection. If you’re retail and using an ethernet connection for your terminal, for example, you’ll need a scan. Make sure to look for quarterly scan reports in your email inbox and implement any recommendations it may have.