Self Assessment Questionnaire (SAQ)

Secure your business with CyberHoot Today!!!

Sign Up Now

A Self Assessment Questionnaire (SAQ) is most commonly used in the Payment Card Industry Data Security Standard (PCI-DSS) space to determine if a merchant or service provider is compliant with PCI-DSS standards. There are 8 different SAQ types, each for different types of organizations that handle PCI information. The 8 different types can be found below:

How you process credit cards and handle cardholder data determines which SAQ your business needs to fill out. For example, if you don’t have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you do have a storefront that processes credit cards through the Internet and you also store customer credit card data, you’re probably an SAQ D merchant.

Transaction Volumes Dictate Audit Requirements

Beyond completing an SAQ for your PCI compliance needs, there is a secondary metric SMBs should consider – namely transaction volumes. PCI-DSS also has ranges of transaction volumes that dictate whether you can self-assess (below 20,000 credit card transactions a year) and must hire an outside QSA (Qualified Security Assessor) where you are Level 2 or Level 1 compliance level, to perform an audit of your company.

What does this mean for an SMB?

The SAQ or Self-Assessment Questionnaire isn’t just a roadmap to compliance; it’s a roadmap to better cybersecurity. Filling out a PCI SAQ is one of the best ways to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide a PCI SAQ as proof of payment security. If your organization works with PCI data, then you likely have completed or need to complete an SAQ, reference the table above for which SAQ is applicable to your business. Working through your SAQ will help you determine what you should be doing, but the information below will help you improve your cybersecurity hygiene even further.  

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

To learn more about PCI Compliance and the PCI SAQs, watch this short 2-minute video:

Sources: 

Security Metrics

PCI Security Standards

Reciprocity

Additional Reading:

An Overview of PCI Compliance

MSPs Should Require Risk Assessments

Related Terms:

PCI-DSS

Risk Assessment

AES Encryption

CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like: 

• Blog
• Cybrary (Cyber Library)
• Infographics
• Newsletters
• Press Releases
• Instructional Videos (HowTo) – very helpful for our SuperUsers!

Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.