You are currently on IBM Systems Media’s archival website. Click here to view our new website.



Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.

Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.
Illustration by Julia Breckenreid

Self-Assessment Questionnaire

Most merchants are required to complete the PCI DSS Self-Assessment Questionnaire (SAQ). The SAQ is a tool for organizations to gauge their compliance level with the standard.

The SAQ isn’t required for level 1 merchants, but is required for levels 2, 3 and 4. Don’t think level 1 merchants are getting off easy though—instead of the SAQ, they’re subject to an on-site review from either an internal auditor or an external assessment company known as a qualified security assessor. Additionally, level 1, 2 and 3 merchants must have quarterly network scans performed by an approved scanning vendor. Your acquirer may have additional or different requirements. You can obtain lists of the qualified security assessors and approved scanning vendors from the Web sites listed in “Resources”.

The SAQ was updated in February with the release of version 1.1. The new SAQ (available at has become four different questionnaires, depending on the type of payment-card activity. While the merchant level in the previous section was based on volume of transactions, the SAQ validation type is determined by how your credit-card processing system operates. As identified by the PCI Security Standards Council, the different SAQ validation types are:

  • Type 1—Card-not-present (e-commerce, mail or telephone order) merchants that outsource all cardholder data functions; this would never apply to face-to-face merchants
  • Type 2—Imprint-only merchants with no electronic cardholder data storage
  • Type 3—Stand-alone terminal merchants with no electronic cardholder data storage
  • Type 4—Merchants with POS systems connected to the Internet and no electronic cardholder data storage
  • Type 5—All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ

The SAQ guide will help you identify your validation type, but here’s a brief explanation of each type. First, electronic cardholder data means the unencrypted payment-card number, unencrypted expiration data and unencrypted track data. Another distinction is whether the system is connected to other systems and/or to the Internet.

Type 1 is where all of your payment-card processing is outsourced—no electronic cardholder data is kept, and all transactions are card-not-present. This could be where an organization is handling credit-card authorizations for several smaller organizations, including e-commerce transactions. Type 2 is when imprint machines only are used, with no electronic cardholder-data retained. Think of a standalone kiosk at a festival, or a small store that isn’t electronically connected (not even a phone line). Type 3 is when dial-out machines are used. This is pretty common in restaurants and shops, especially when you can hear the dial tone after they swipe your card. No electronic cardholder data is kept, and the devices that do the dialing (usually PCs) are not connected to other systems or to the Internet. Type 4 is where many IBM* Power* Systems running i will be. This is where the credit-card software (or POS software) vendor provides the secure support, primarily through credit-card number encryption and secure (think SSL or encrypted) transmission. All the Power Systems running i payment card processing vendors I know have this capability—if yours doesn’t, find one that does. Electronic cardholder data isn’t stored. Type 5 is for service providers and for any merchant that doesn’t fit in Types 1-4.

The SAQ that must be completed by all of the different types contains a subset of all the PCI DSS requirements identified earlier. The difference is the number of questions on the questionnaire. Type 1 uses SAQ A, which consists of 11 questions. Types 2 and 3 use SAQ B, 21 questions. Type 4 uses SAQ C, which is 38 questions. Type 5 uses SAQ D, 226 questions—in other words, the complete requirements-based questionnaire.

Before the February change, all respondents had to complete the full questionnaire. Since this was such a large task, many organizations refused it. So the PCI Security Standards Council changed the SAQ to make it more reasonable, which in turn enables more SAQs to be completed.

Another part of each SAQ is the Attestation of Compliance. An executive must sign this document, which indicates that the organization is compliant or non-compliant with the PCI DSS. If the organization is non-compliant, a compliance target date must be established. Once the SAQ and that attestation are complete, the information would be sent to the acquirer. Your acquirer will likely give a timetable for completion and would provide the details for submission.

Michael Ryan is a technical editor with IBM Systems Magazine. Michael can be reached at



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


A Guide to Passing an Audit


A Look at COBIT Security

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters