Assessing the Security of Your Cardholder Data with a Self-Assessment Questionnaire (SAQ)
In the best of circumstances completing a Self-Assessment Questionnaire (SAQ) can be time-consuming and in a worst-case scenario, it can be a check the box activity that doesn’t meet your business requirements. Obstacles your team may face include:
- Selecting the correct questionnaire for your business.
- Creating a submission-ready questionnaire.
- Ensuring remediation activities required to achieve full PCI compliance are planned and resources appropriately.
- Task prioritization and project management.
- Finding and implementing products and services to resolve non-compliant areas.
CyberSheath uses a Self-Assessment Questionnaire (SAQ) as a self-validation tool for merchants and service providers to assess the security of their cardholder data.
It is made up of two components:
- A set of yes-or-no questions corresponding to the PCI Data Security Standard requirements applicable to the service provider or merchant.
- An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment (this will be packaged with your selected questionnaire).
Who should complete an SAQ?
SAQs are intended for Level 2-4 merchants who are not required to submit reports on compliance. Regardless of where you fall in the merchant level definitions, completing an SAQ can measurably improve your cybersecurity and save you both time and money.
What are the criteria for passing or failing an SAQ?
Merchants have to pass ALL questions (or deem them ‘non-applicable’) to be considered compliant with the PCI Data Security Standard. Failing any question means the merchant or service provider is not compliant. The risk(s) identified within the questionnaire must be remedied and the questionnaire retaken.
Which SAQ should I take?
There are several different questionnaires available to meet different merchant environments and selecting the SAQ most relevant to you can be confusing. A CyberSheath-led SAQ assessment can help you to select the questionnaire that best applies to your business.
The benefits of working with CyberSheath to complete your SAQ include:
- Selection of the appropriate questionnaire.
- A submission-ready PCI DSS Self Assessment Questionnaire.
- A Questionnaire Summary documenting control areas on which you failed to comply.
Should you fail to comply, you’ll also receive a customized remediation plan of action with milestones including:
- Comprehensive remediation activities required to achieve full PCI compliance.
- Remediation planning to enable task prioritization and project management.
- A non-compliant resolution summary with links to recommended products and services that will help you cost-effectively resolve non-compliant areas.
- Engineering resources to implement required remediations.