Understanding PCI Compliance Questionnaires

July 30, 2021 David Gibb

Defined by the Security Standard Council, the Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines that require businesses that store, process, and/or transmit credit card payments and cardholder data to comply with technical and operational best practices. 

Simply put, if you accept or process credit card payments—regardless of the dollar amount collected or whether a Visa, Mastercard, American Express, Discover, prepaid card, or debit card is used—PCI DSS applies to you.  


Becoming PCI compliant not only tells your customers that you are protecting them against data breaches, but it also protects your company from cybersecurity attacks.

But just how do you know if your business is PCI compliant? 

Enter PCI Self-Assessment Questionnaires (SAQs), otherwise known as PCI compliance questionnaires. 

If you’re new to PCI SAQs and how to use them to evaluate your levels of compliance, this guide is here to help. 

Below, we will break down:

  • What PCI SAQs are.
  • How they correlate with different levels of merchant compliance.
  • The importance of maintaining PCI compliance to protect your business and your customers.

What are PCI SAQs?

PCI SAQs are comprehensive self-validation tools that evaluate your cardholder data security, as well as provide you and your customers with peace of mind. These PCI compliance questionnaires include a series of yes-or-no questions for applicable PCI DSS requirements. 

It’s important to note that there are different SAQs to meet standards set within different merchant environments.

PCI SAQs and Merchant Compliance Levels

PCI SAQs are based upon four levels of PCI merchant compliance, which include:

  • Merchant Level 1: Over 6 million transactions a calendar year.
  • Merchant Level 2: 1 to 6 million transactions a calendar year.
  • Merchant Level 3: 20,000 to 1 million transactions a calendar year.
  • Merchant Level 4: Less than 20,000 transactions a calendar year.

Merchant Level 1 Requirements

If you fall into the Level 1 category, you are a major merchant or service provider that collects credit card information and processes over 6 million transactions each year—which means you are subject to the highest PCI compliance standards. 

For Level 1 merchants, you’ll have to complete:

  • An annual risk assessment using the appropriate SAQ.
    • An Attestation of Compliance (AOC), which certifies that you are eligible to perform the SAQ.
  • An annual audit completed by a qualified PCI auditor.
  • Quarterly scans on your network and infrastructure by an approved third-party vendor.

You may also qualify as a Level 1 merchant if you process more than 2.5 million American Express transactions, or if you have had a cyberattack or data breach that resulted in compromised credit card data. It’s important to note that you only need one data breach and one piece of credit card data stolen to qualify into this category. 

Merchant Level 2 Requirements

You are a large-scale merchant or service provider who collects credit card information and processes between 1 million to 6 million transactions each year. You can also qualify as a Level 2 merchant if you process between 50,000 and 2.5 million American Express transactions. 

If you fall into the Level 2 category, you must complete: 

  • An annual risk assessment using the appropriate SAQ.
  • Quarterly scans of your network by a third-party vendor, although not always required in some cases.

Merchant Level 3 Requirements

You are a medium to large-scale merchant or service provider who collects credit card information and processes between 20,000 and 1 million VISA and Mastercard eCommerce transactions each year. You can also qualify as a Level 3 merchant if you process fewer than 50,000 American Express transactions each year. 

If you fall into the Level 3 category, you must complete:

  • An annual risk assessment using the appropriate SAQ.
  • Quarterly scans of your network by a third-party vendor, although not always required in some cases.

Merchant Level 4 Requirements

You are a small-scale merchant or service provider who collects credit card information and processes less than 20,000 eCommerce transactions each year and less than 1 million total Visa and MasterCard transactions. American Express transactions are not applicable for Level 4 merchants.

If you fall into the Level 4 category, you must complete:

  • An annual risk assessment using the appropriate SAQ.
  • Quarterly scans of your network by a third-party vendor, although not always required in some cases.
Liquid Web’s PCI Compliance Scanning tool will provide you with a set of three reports: an Attestation of Compliance (AOC), an Executive Report, and a Detailed Report.

12 Security Standards for PCI Compliance at All Merchant Levels

Diagram showing the journey of a card payment transaction from the customer to a merchant bank account.

There are 12 security standards per the PCI DSS framework that all merchant levels must have across their internal and external networks, including:

  1. Installing and maintaining a firewall configuration to protect cardholder data.
  2. Not using vendor-supplied defaults for your system passwords and other security parameters.
  3. Protecting stored cardholder data.
  4. Encrypting transmission of cardholder data across open and public networks.
  5. Using and regularly updating your antivirus software.
  6. Developing and maintaining secure systems and applications.
  7. Restricting access to cardholder data by business need-to-know basis.
  8. Assigning a unique ID to each person with computer access.
  9. Restricting physical access to credit card data.
  10. Tracking and monitoring all access to network resources and cardholder data.
  11. Regularly testing security systems and processes.
  12. Maintaining a security policy that addresses information security for employers and contractors.

Another security standard that you can follow is to find a processor or gateway that will house your credit card data in a token. 

Tokenization helps against cyberattacks by replacing the customer’s primary account number (PAN) with a string of randomly-generated numbers (known as a token). Tokens can then be passed through the Internet or the wireless networks needed to process a payment without exposing PANs.

When searching for a tokenization processor, be sure to choose a PCI-compliant organization. 

Overview of SAQ Types

There are eight different types of SAQs that you need to select from based on your PCI compliance level and your merchant network. 

These SAQs include:

SAQ# of QuestionsDescriptionVulnerability Scan?Penetration Scan?
A22eCommerce website (third party):
• Fully outsourced card acceptance and processing.
• Merchant website provides an iFrame or URL that redirects a consumer to a third-party payment processor.
• Merchant cannot impact the security of the payment transaction.
NN
A-EP191eCommerce website (direct post):
• Merchant website accepts payment using direct post or transparent redirect service.
YY
B41Processes cards via:
• Analog phone, fax, or stand-alone terminal.
• Cellular phone (voice), or stand-alone terminal.
• Knuckle buster/imprint machine.
NN
B-IP82Processes cards via:
• Internet-based stand-alone terminal isolated from other devices on the network.
YN
C-VT79Processes cards:
• One at a time via keyboard into a virtual terminal.
• On an isolated network at one location.
• No swipe device.
NN
C160Payment application systems connected to the Internet:
• Virtual terminal (Not C-VT eligible).
• IP terminal (Not B-IP eligible).
• Mobile device (smartphone/tablet) with a card processing application or swipe device.
• View or handle cardholder data via the Internet.
• POS with tokenization.
YN
D329eCommerce website:
• Merchant website accepts payment and does not use a direct post or transparent redirect service.

Electronic storage of card data:
• POS system not utilizing tokenization or P2PE.
• Merchant stores card data electronically (email, e-fax, recorded calls, etc.).
YY
P2PE33Point-to-point encryption
• Validated PCI P2PE hardware payment terminal solution only.
• Merchant specifies they qualify for the P2PE questionnaire.
NN

The Importance of Maintaining PCI Compliance

Maintaining PCI compliance is important for merchants at all levels, as it will help you protect your business against cyberattacks, safeguard sensitive customer data, and avoid fines that could be between $5,000 and $100,000 per month. To ensure you are meeting compliance standards, you can perform vulnerability and penetration scans based on which type of SAQ you complete.  

Vulnerability Scans

A vulnerability scan allows you to scan your system network and applications to look for weaknesses in your operating system, services, and devices that could be targeted by hackers. It’s beneficial to perform vulnerability scans once a quarter, and you must submit a passing scan to your processor for each card type you accept. 

There are several PCI-approved vulnerability scanning vendors you can use to ensure your network stays secure. 

Penetration Scans

Penetration scans are performed annually on top of your quarterly vulnerability scans. These scans are used to exploit any vulnerabilities in your code or network that may pave the way for hackers to gain access to sensitive information. Penetration scans utilize real users who attempt to dig into your system to find any weaknesses. While these tests can be expensive, they are crucial to ensuring your network stays secure. 

Note: You can perform penetration scans internally, but these tests must be conducted by a qualified user who is independent of the system they are checking. 

Liquid Web’s Security Team performs these penetration tests for Liquid Web customers.

Liquid Web Can Help With PCI Compliance Scanning and Vulnerability Scanning

Ensure your business is compliant and that your systems are up to date and secure with PCI Compliance Scanning and Vulnerability Scanning products from Liquid Web.

About the Author

David Gibb

David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.

More Content by David Gibb
Previous Article
Why Should Your Business Choose VMware?
Why Should Your Business Choose VMware?

Find out what VMware is, how vCenter works, and the top 5 reasons why you should move to VMware for virtual...

Next Article
Looking for Stellar WordPress Products? Look No More
Looking for Stellar WordPress Products? Look No More

Liquid Web announces a discount to popular WordPress plugins under the StellarWP software umbrella, includi...