SAQ documents are available at the PCI Security Standards Council's web site (http://www.pcisecuritystandards.org). There you will find the full PCI standard and SAQ A, B, C and D. Which SAQ to complete is detailed at the site - and depends on how you store, process or transmit card data.

For some of the more comprehensive SAQs (e.g. SAQ D), there is a significant amount of work to i) understand the document ii) complete it accurately and iii) ensure that card processing arrangements are indeed compliant as per all of the requirements within the SAQ.

Organisations are often asked to complete the document by an Acquiring bank. They will also be expected to complete the document annually.

We are often asked to provide assistance to complete the SAQ - to ensure that organisations submit a document that has been completed accurately and with recognised (QSA) independent support. Acquirers often view the assistance provided by QSAs as a very positive step on submission of the SAQ.

As with our onsite QSA assessments, we work with our clients to understand the intent behind each area of the SAQ. This understanding leads to a more accurate completion of the document. This again, is double checked by our QSA team. Assistance with SAQ submission to Acquirers (and other requesting parties if applicable) is provided.

We see the accurate completion of SAQs as very important. So important that we have included the service as part of our ASV scanning and self assessment service. Clients can be confident that they are getting the very best advice to guide them through the entire PCI compliance process.

Our ASV clients value our comprehensive and approachable style. Right from initial contact, we aim to assist clients with the correct course of action to get PCI compliant - even if it means that our services are not required.

Our support service includes:

• Review of card processing & selection of correct SAQ.
• End-to-end review of the SAQ (telephone or onsite).
• Review of cardholder data environment scope and possible strategies for reduction of that environment.
• A review of any third party involvement & associated PCI compliance responsibilities.
• Liaising with Acquirers.

Feel free to contact us to discuss any aspect of your security or compliance programme.

Some useful tips when self assessing:

• If you work with an Acquirer, you should have received a request from them to validate your PCI compliance. Many Acquirers include advice on what Merchant level you are and what SAQ to complete.
• For Merchants, satisfying your Acquirer's requests is paramount. They will be working with payment card brands (Mastercard, Visa, Amex, JCB & Discover) to track the PCI compliance progress of their Merchant customer base. Keeping your Acquirer up to date on progress is therefore highly important.
• If you have not been told what your Merchant level is - do not worry. It is based on the number of transactions that you process. The rules are set by individual card brands - but are very similar for each. Contact us directly for advice on this.
• Once you understand what level of Merchant that you are, you can determine how to validate compliance (unless your Acquirer has told you directly). Tier 3 and 4 Merchants demonstrate using a Self Assessment Questionnaire. You can find out more about the SAQ at http://www.pcisecuritystandards.org.
• There are 4 types of SAQ: A, B, C and D. Each is based on the PCI Data Security Standard. The SAQ that you opt to complete is based on how you store, process or transmit card data. It is worth understanding your arrangments before reviewing SAQ's.
• Once the SAQ is completed, the document needs to be submitted to your Acquirer. They may have told you submit on a particular date. A very important point to note is that you must complete the SAQ accurately. If there are sections that are not compliant - mark them as such and let your Acquirer know what you are going to do to fix the problem and when you are going to perform the work. Transparency is key.