Caveat: This isn’t a post about which Self-Assessment Questionnaire SAQ you should use. You can confirm that by speaking with your acquiring bank. Confide can assist in these conversations and give our opinion on what SAQ we believe is correct, but your acquiring bank will make the final decision.
There are a lot of acronyms that get used in relation to payments: RoC, AoC, SAQ, P2PE, PTS, PA-DSS and of course PCI DSS.
This article focuses on distinguishing some of the different types of reports that are used to demonstrate PCI compliance.
What Determines What Report I Can Use?
Short Answer: The bank.
Longer Answer: The bank will review the number of transactions that you do each year and the payment channels that you support. They may also review whether they consider you as a service provider or whether you fit the definition of a payment aggregator or facilitator. Based on this, they may direct you to a QSA to review your payment channels and provide advice or they may already have an expectation around what reporting you need to provide.
Let’s start with transaction volume, since that is one of the first things which will help determine whether you can self-assess or whether you need a full Report on Compliance (RoC). Merchants and service providers have different thresholds for the number of transactions which will require a particular report type.
Merchant Transaction Volume
|Merchant Level||Number of Transactions (Annual)||Payment Channel||Assessment Requirements|
|Level 1||6+ Million||All Channels||Annual Onsite Assessment (RoC) by a QSA|
|Level 2||1 - 6 Million||All Channels||Self-Assessment Questionnaire (SAQ) by an ISA|
Onsite assessment by a QSA (MasterCard)
|Level 3||20,000 - 1 Million||E-Commerce||Self-Assessment Questionnaire (SAQ)|
|Level 4||Up to 1 Million||All Channels||Self-Assessment Questionnaire (SAQ)|
|Fewer than 20,000||E-Commerce||Self-Assessment Questionnaire (SAQ)|
Service Provider Transaction Volumes
|Service Provider Levels||Transaction Volume (Annually)||Assessment Type|
|Level 1||More than 300,000 transactions||Report on Compliance (RoC)|
|Level 2||Fewer than 300,000 transactions||Self-Assessment Questionnaire (SAQ)|
It is worth noting though that even if you do not meet the transaction volume for a Report on Compliance, the bank, the card brands, or even your customers might require it.
Self-Assessment Questionnaires (SAQ)
As of 2020, PCI has nine different SAQs that apply to different payment channels, methods of transactions, and type of entity (merchant or service provider). These are summarised below.
|SAQ||Summary of Payment Channels|
|A||Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers. No storage, processing, or transmission of cardholder data on the merchant systems or premises.|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have one or more websites that don't directly receive cardholder data but can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on the merchant systems or premises.|
|B||Merchants using either imprint machines and/or standalone, dial out terminals. No electronic storage of cardholder data. No e-commerce.|
|B-IP||Merchants using standalone PTS-approved payment terminals with an IP connection to the payment processor. No electronic storage of cardholder data. No e-commerce.|
|C||Merchants with payment application systems connected to the internet. No electronic storage of cardholder data. No e-commerce.|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution provided and hosted by a PCI compliant third party service provider. No electronic storage of cardholder data. No e-commerce.|
|P2PE||Merchants using only hardware payment terminals included in and managed via a PCI SSC listed P2PE solution. No electronic storage of cardholder data. No e-commerce.|
|D (Merchant)||All other merchants not included in the descriptions above. Merchants with multiple payment channels. Merchants that store cardholder data.|
|D (Service Provider)||All service providers who are eligible to complete a SAQ.|
Each SAQ has a set of criteria to use it. You have to be able to attest that you meet all of the criteria in order to use that particular SAQ. Every SAQ other than SAQ D requires you to attest that you do not store any cardholder data. One way to prove this is to use a data discovery tool to find unprotected credit cards.
The only SAQ that service providers are allowed to use if they do not meet the threshold for a full Report on Compliance is SAQ D for Service Providers. If a service provider gives you an AoC using any other SAQ, they have not assessed as a service provider.
Merchants are able to use any of the other eight SAQs depending on the payment channels. When there are multiple payment channels, the bank may ask you to submit SAQ D to cover all your payment channels or they may accept multiple SAQs. Every SAQ other than SAQ D requires to attest that the payment channel described is your only payment channel. Because of this, SAQ D is usually the most appropriate. You should always check with your bank if you have multiple payment channels.
The self-assessment questionnaires (SAQs) are a shortened version of the full standard reduced to the minimum controls that must be in place for that payment channel. However, just because the other requirements are not included in the SAQ does not mean that they do not have to be met. A key takeaway from PCI is that every requirement must be met by at least one party. The SAQs themselves require you to attest that each of the service providers who are involved in your transaction processes are PCI compliant. If you cannot attest to this, you generally won’t be able to use the SAQ because there will be gaps in the requirements that have not been assessed.
There is no difference between the requirements in the SAQs and the requirements in the RoC. Only the reporting format differs.
You may be able to complete a SAQ yourself, or you may need assistance with it. Confide can help you understand the requirements and complete your SAQ regardless of your size. Sometimes you may be able to use a SAQ, but your stakeholders want some independence and assurance around the controls that they are signing off as complying with, and a QSA can provide that independent assurance through our SAQ assistance.
Report on Compliance
The Report on Compliance (RoC) template starts at 191 pages in v3.2.1 of the Standard. As mentioned before, the requirements themselves are the same. The main difference in the level of detail in the reporting. Each requirement in the RoC asks for verification of how the control was validated to be in place through a combination of interviews, configuration reviews, document reviews, and observations.
A RoC usually takes much longer to complete than a SAQ because of the amount of detail it requires. Even if you only are required to complete a SAQ, we recommend reviewing the ROC Reporting Template available from the PCI website to understand what kinds of information you should be asking about when you review your SAQ.
A RoC can only be completed by a QSA. Confide has extensive experience in completing RoCs in New Zealand, and if you need a RoC, contact us.
Supplemental Report on Compliance / Designated Entities Supplemental Validation
Appendix A3 sets out additional controls which may be required by a payment brand or an acquirer to provide additional validation and assurance that PCI DSS requirements and processes are maintained effectively and continuously. You only have to complete this appendix if it is requested by the payment brand(s) or banks.
The S-RoC / DESV is an additional 20 controls that build on the existing reporting in the RoC.
Attestation of Compliance
Regardless of what reporting requirements you have, part of those requirements will also include your Attestation of Compliance (AoC). The AoC summarises the findings in your SAQ or RoC and has a set of statements that your executive is required to attest to. If you have worked with a QSA on it, your QSA will also sign the AoC.
Need More Help?
If you need more help with your compliance, Confide can assist you at all the stages from scoping and PCI gap analysis through to completing a full independent assessment. Contact us for more information.