PCI and PA-DSS Compliance
"SAQ" is short for Self Assessment Questionaire. The PCI requirements require each merchant to fill out and submit the appropriate version of the SAQ every year. Each SAQ has different requirements that must be met, a differing number of questions that must be answered, and a wide range of different costs for each.

The SAQ version that each merchant must fill out depends upon a number of factors, including the number of transactions processed each year. But for the vast majority of merchants using any kind of point of sale software, it's a choice between either SAQ-C or SAQ-D (see the table below for more information). So what's the difference between them?

SAQ Type Annual Questions Annual Recurring Costs Up-Front Costs
SAQ-C 16 pages $200-500 $400-$1K
SAQ-D 31 pages $7K-50K $15K-$200K

Clearly, SAQ-C is a much easier and affordable approach for merchants, as it requires little special equipment (just a consumer-grade firewall/router and a small vulnerability scanning device), and other than regular security scans there's not much to do once the short questionnaire has been filled out.

So what determines which SAQ a merchant must fill out? To quote the PCI Security Standards web site:  

"According to the payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below ... Use the table to gauge which SAQ applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ."

Here's the table of SAQ validation types and their requirements, directly from the PCI web site (with red text added for emphasis):

SAQ Validation Type
Description
SAQ: V1.2
1
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
2
Imprint-only merchants with no electronic cardholder data storage
3
Stand-alone terminal merchants, no electronic cardholder data storage
4
Merchants with POS systems connected to the Internet, no electronic cardholder data storage
5
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

As you can see, merchants using software to process their credit card transactions would NOT be eligible for SAQ-A or SAQ-B. So it's down to SAQ-C or SAQ-D. We invite you to click on the links for the various SAQ documents and see the difference in complexity.

To qualify for SAQ-C, we cannot store any cardholder data in our computer systems at all. Sounds pretty straightforward. And what is cardholder data, exactly? For the answer, we consulted the PCI Security Standards web site again. According to the official glossary, cardholder data means the full credit card number, even if the card number is stored fully encrypted in your databases.

It is critically important to understand that encrypting cardholder data does not mean that it is no longer cardholder data! Encryption is required by PCI-DSS because it makes the cardholder data harder to read and increases protection of the data, but what's behind the encrypted information is still considered to be cardholder data. Don't be fooled into thinking that using encryption means you won't have to complete SAQ-D.

Fortunately, our remote storage engine takes all the sensitive cardholder data offsite completely. Solution developers can use our tools to remotely store all kinds of information, keeping it out of the merchant's databases completely, and thus qualifying the merchant for the much easier SAQ-C.

Merchants using software that has fully implemented our payment gateway and its remote storage engine, and which does not store any cardholder data, are eligible to use SAQ-C instead of SAQ-D, saving a huge amount of time, money, and headache for all involved. Diamond Payment Systems can save you tens of thousands of dollars on PCI compliance, and make it easier to sleep at night knowing your data cannot be stolen from your computer systems - because it isn't stored there in the first place!

Why not go ahead and get signed up with us right now? Merchants, Solution Developers, and Payment Processors can all benefit from the innovative PCI compliance solutions offered by the security experts at Diamond Payment Systems!