Last week we covered two of the four self-assessment questionnaires (SAQ) required by the card associations for PCI compliance. The two SAQ types mentioned last week are the most complex and longest of the four. These questionnaires contain many technical terms in reference to security and virus protection software. They also review local area network (LAN) settings, firewall protections and connected or shared access points. Unless you are highly computer literate, most businesses have personnel dedicated to internet technology (IT) support. Your IT support staff will be best suited to complete the network security portion of these questionnaires.
Remember that SAQ type C is required if you transmit data over an open public network such as the internet or cellular signals, whether or not you store cardholder or other sensitive or personal data in an electronic format. SAQ type D is required if you store cardholder or other sensitive or personal data in an electronic format, regardless of your method of processing.
The other two types, SAQ A and SAQ B should be used if your credit card processing is done via a stand-alone dial-up credit card terminal that is not connected to any other office system or network. You may qualify to complete SAQ type A if you only call an automated voice authorization service from any regular phone. This type of processing uses no equipment beyond the merchant’s phone, and there are no electronic records or hard copy electronic printouts.
The majority of small to medium sized businesses that have no business or legal need to store cardholder data electronically and use a traditional electronic credit card processing terminal are eligible to use SAQ type B for validating their PCI compliance. Please see our homepage for information on which SAQ is right for you. If your business accepts credit cards, you are required to be PCI compliant. Your business can validate its compliance for free on our home page.