How to Fill Out a PCI Compliance Questionnaire

Completing your PCI compliance questionnaire marks a necessary step in your efforts to demonstrate adherence to regulations overseeing credit card payments. According to the Payment Card Industry’s (PCI) Data Security Standards (DSS), businesses that process fewer than 6 million transactions annually must fill out and submit their yearly Self-Assessment Questionnaire (SAQ). With the right knowledge, anyone can learn how to fill out PCI compliance questionnaires.

First, What is a PCI Compliance Questionnaire?

The PCI compliance questionnaire is one part that comprises the ongoing compliance efforts for businesses that store, process, or transmit credit card data. This document is officially titled the Self-Assessment Questionnaire (SAQ).

According to the PCI Security Standards Council (SSC), the body that enforces the DSS, most companies subject to credit card data regulations must submit an SAQ annually, along with any other compliance reporting efforts.

Filling Out Your PCI Compliance Questionnaire

To fill out a PCI compliance questionnaire, your company will answer “yes or no” questions as a self-evaluation method. Should you answer “yes,” your company states its compliance. However, should you answer “no” for any question, your company will need to include additional information that explains your remediation efforts and the expected completion date.

Who Needs to Complete a PCI Compliance Questionnaire?

Nearly all companies that store, process, or transmit credit card data must comply with PCI DSS and the associated regulatory procedures. The transaction volume your company handles determines its compliance efforts’ severity and rigor via your designated Level.

PCI Compliance Levels

Companies subject to PCI regulations are sorted among four Levels, as follows:

• Level 1 – Merchants processing over six million transactions per year
• Level 2 – Merchants processing one to six million transactions per year
• Level 3 – Merchants processing 20,000 to one million transactions per year
• Level 4 – Merchants processing fewer than 20,000 transactions per year

All companies besides those in Level 1 must submit their yearly SAQ. Each Level follows its own reporting requirements, which become more complicated as transaction volume increases. Level 1 businesses must pass a thorough assessment by an approved third party rather than completing an SAQ.

Which PCI Compliance Questionnaires Must A Company Submit?

The PCI compliance questionnaire has nine different versions. Identifying the specific SAQ that applies to your company depends on how you interact with credit card data:

• Questionnaire A – For merchants that rely on e-commerce, mail, and telephone orders and don’t store, process, or transmit any cardholder data electronically via their systems or on-premises (i.e., “card-not-present merchants”). These businesses have outsourced all cardholder data operations to a third-party service provider that maintains its own PCI DSS compliance.
• Questionnaire A-EP – For merchants that rely on e-commerce and don’t receive cardholder data directly but utilize a website that may impact payment security. These businesses have outsourced most cardholder data operations to a third-party service provider that maintains its own PCI DSS compliance. Businesses must not store, process, or transmit any cardholder data electronically via their systems or on-premises.
• Questionnaire B – For merchants that exclusively use either imprint machines or standalone, dial-out terminals that do not store cardholder data electronically.
• Questionnaire B-IP – For merchants that exclusively use standalone, PTS-approved payment terminals. PTS refers to “PIN transaction security.” These payment terminals rely on an IP connection to the payment processor but do not store cardholder data electronically.
• Questionnaire C-VT – For merchants that enter transactions individually into an Internet-based virtual terminal solution via keyboard. The virtual terminal solution must be hosted and maintained by a PCI DSS compliant third-party and may not store cardholder data electronically.
• Questionnaire C – For merchants that use internet-connected payment application systems. The payment application systems must not store cardholder data electronically.
• Questionnaire P2PE-HW – For merchants that exclusively use hardware payment terminals maintained by and included within a PCI DSS-approved P2PE solution. The P2PE must not store cardholder data electronically.
• Questionnaire D for Merchants – For merchants that don’t fall under the above Questionnaires.
• Questionnaire D for Service Providers – For service providers subject to PCI compliance questionnaire submission, as specified by a payment card brand.

The Information Needed to Fill Out a PCI Compliance Questionnaire

PCI compliance questionnaires are typically 20 pages in length, on which companies must provide basic information about their payment transaction environment and answer questions regarding their interactions with cardholder data. Questions may be answered with “Yes,” “Yes with a CCW,” “No,” or “N/A:”

• Yes – All question elements have been satisfied and confirmed by the expected testing results.
• Yes with a Compensating Control Worksheet (CCW) – All question elements have been satisfied by using a compensating control and confirmed by the expected testing results. Information relevant to the compensating controls must be provided via CCWs and included in the SAQ’s Appendix B.
• No – Question elements involve unmet requirements, incomplete implementation, or incomplete testing.
• N/A – Question elements don’t apply to the given merchant transaction processes. Answering N/A for a question on your PCI compliance questionnaire requires adding a supporting explanation in the SAQ’s Appendix C.

Some merchants may be bound by legal exceptions that prevent them from meeting SAQ questions. If so, merchants must answer “no” and explain the reason in Part 3 on the form.

Compensating Controls Worksheets

If you rely on compensating controls to meet the requirements specified on your PCI compliance questionnaire, you must complete a CCW and attach it to your submission. The CCW explains the implemented control and how its use in your transaction environment allows you to answer “yes” for a given question.

PCI Compliance Questionnaire Section 1

Your SAQ’s beginning portions—comprising Section 1’s Part 1 and Part 2—provide an overview that contains basic information relevant to PCI DSS compliance. Part 1 merely requires contact information. Part 2, the “Executive Summary,” specifies your transaction processes, including:

• Business type (i.e., your industry and how you handle credit card transactions)
• Location(s)
• Payment applications utilized
• Environmental descriptions
• Third-party service providers utilized
• Eligibility to complete the specific SAQ version

PCI Compliance Questionnaire Section 2

Your SAQ’s Section 2 will provide “yes or no” answers to the listed questions. The questions pertain to the PCI DSS Requirements relevant to your business and based on which questionnaire version you must submit. The PCI DSS comprises the 12 Requirements merchants must adhere to for regulatory compliance.

The expected testing procedures relevant to each question are listed as well. These specifications will assist completion if you are unclear on what verification methods must be used to attest to your compliance.

PCI Compliance Questionnaire Appendices: A, B, and C

Your SAQ likely requires completing the three appendices to provide additional information that supports your compliance efforts:

• • Appendix A – This section includes questions regarding:
    • Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
    • Designated Entities Supplemental Verification
    • • Constraints
      • Objective
      • Identified risk
      • The compensating control’s definition
      • The compensating control’s validation
      • Maintenance

      PCI Compliance Questionnaire Section 3

      Your SAQ’s final section validates and attests to your PCI DSS compliance efforts. Should you fail to meet a PCI DSS Requirement, you must provide an action plan that specifies your remediation efforts and the date by which implementation will be complete.

      Simplify Your PCI Compliance Questionnaire

      Completing your PCI compliance questionnaire is a task that falls under “simple in theory.” While the process remains relatively straightforward, the information required to answer each question fully can quickly become overwhelming. For guidance that helps simplify SAQ completion, contact the experts.

      RSI Security provides complete PCI compliance services. As a PCI SSC-approved Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), RSI Security knows all the ins and outs needed to adhere to credit card transaction compliance.

      Contact RSI Security today for first-class expertise on all compliance and cybersecurity efforts.

      Download Our PCI DSS Checklist

      Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.