How to Fill Out a PCI Compliance Questionnaire

assessment

Completing your PCI compliance questionnaire marks a necessary step in your efforts to demonstrate adherence to regulations overseeing credit card payments. According to the Payment Card Industry’s (PCI) Data Security Standards (DSS), businesses that process fewer than 6 million transactions annually must fill out and submit their yearly Self-Assessment Questionnaire (SAQ). With the right knowledge, anyone can learn how to fill out PCI compliance questionnaires.

First, What is a PCI Compliance Questionnaire?

The PCI compliance questionnaire is one part that comprises the ongoing compliance efforts for businesses that store, process, or transmit credit card data. This document is officially titled the Self-Assessment Questionnaire (SAQ).

According to the PCI Security Standards Council (SSC), the body that enforces the DSS, most companies subject to credit card data regulations must submit an SAQ annually, along with any other compliance reporting efforts.

Filling Out Your PCI Compliance Questionnaire

To fill out a PCI compliance questionnaire, your company will answer “yes or no” questions as a self-evaluation method. Should you answer “yes,” your company states its compliance. However, should you answer “no” for any question, your company will need to include additional information that explains your remediation efforts and the expected completion date.

Who Needs to Complete a PCI Compliance Questionnaire?

Nearly all companies that store, process, or transmit credit card data must comply with PCI DSS and the associated regulatory procedures. The transaction volume your company handles determines its compliance efforts’ severity and rigor via your designated Level.

PCI Compliance Levels

Companies subject to PCI regulations are sorted among four Levels, as follows:

All companies besides those in Level 1 must submit their yearly SAQ. Each Level follows its own reporting requirements, which become more complicated as transaction volume increases. Level 1 businesses must pass a thorough assessment by an approved third party rather than completing an SAQ.

laptop-work

Which PCI Compliance Questionnaires Must A Company Submit?

The PCI compliance questionnaire has nine different versions. Identifying the specific SAQ that applies to your company depends on how you interact with credit card data:

The Information Needed to Fill Out a PCI Compliance Questionnaire

PCI compliance questionnaires are typically 20 pages in length, on which companies must provide basic information about their payment transaction environment and answer questions regarding their interactions with cardholder data. Questions may be answered with “Yes,” “Yes with a CCW,” “No,” or “N/A:”

Some merchants may be bound by legal exceptions that prevent them from meeting SAQ questions. If so, merchants must answer “no” and explain the reason in Part 3 on the form.

Compensating Controls Worksheets

If you rely on compensating controls to meet the requirements specified on your PCI compliance questionnaire, you must complete a CCW and attach it to your submission. The CCW explains the implemented control and how its use in your transaction environment allows you to answer “yes” for a given question.

PCI Compliance Questionnaire Section 1

Your SAQ’s beginning portions—comprising Section 1’s Part 1 and Part 2—provide an overview that contains basic information relevant to PCI DSS compliance. Part 1 merely requires contact information. Part 2, the “Executive Summary,” specifies your transaction processes, including:

PCI Compliance Questionnaire Section 2

Your SAQ’s Section 2 will provide “yes or no” answers to the listed questions. The questions pertain to the PCI DSS Requirements relevant to your business and based on which questionnaire version you must submit. The PCI DSS comprises the 12 Requirements merchants must adhere to for regulatory compliance.

The expected testing procedures relevant to each question are listed as well. These specifications will assist completion if you are unclear on what verification methods must be used to attest to your compliance.

PCI Compliance Questionnaire Appendices: A, B, and C

Your SAQ likely requires completing the three appendices to provide additional information that supports your compliance efforts: