Skip to main content

The Importance of a PCI DSS Self-Assessment Questionnaire

PCI DSS Self Assessment

You’re a busy and important person, with many plates to spin and deals to win. I get that! Understandably, sometimes things fall through the cracks, but can you really handle hefty fines or the headache of a data breach? Probably not. With more business conducted online and through credit cards than ever, it’s essential to secure transactions for your customers and business.

86% of data breaches are financially motivated and payment card data is the most sought-after commodity. And web applications, rather than point-of-sale (POS) devices, are the primary target.

This is why credit card companies need PCI DSS compliance. Let’s explore what PCI DSS compliance means for businesses and why a PCI DSS Self-Assessment Questionnaire is so important.

What Is PCI DSS Compliance?

Credit card numbers are some of the most valuable personal identifiers around. The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework designed to help organizations protect that information.

PCI DSS is an actionable framework that helps you prevent, detect and react to security incidents. If you store, process, or transmit cardholder data, you must be compliant to reduce the risk of a breach and lessen its impact.

The cards you work with and the number of transactions completed over a year determine which PCI DSS controls apply. There are levels for merchants and service providers to identify with, but you can learn more about PCI DSS here. 

Regardless of which level you associate with, there are six goals and 12 requirements for PCI compliance. The Self-Assessment Questionnaire (SAQ) applicable to your organization determines how requirements apply to you.

What Is a PCI Self-Assessment Questionnaire?

An SAQ is a series of yes-or-no questions for each PCI DSS requirement. This self-validation tool helps you assess the security of cardholder data stored, transmitted or processed by your company. And regardless of being a merchant or a service provider, you’re required to comply 24/7, 365.

There are eight types of PCI Self-Assessment Questionnaires. PCI defines them as:

SAQ Type A

Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. Involves 24 questions.


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels. Involves 192 questions.

SAQ Type B 

Merchants using only: 

  • Imprint machines with no electronic cardholder data storage and/or; 
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels. Involves 41 questions.

SAQ Type B-IP 

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels. Involves 87 questions.

SAQ Type C 

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. Involves 160 questions.


Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. Involves 84 questions.

SAQ Type P2PE 

Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE (point-to-point encryption) solution, with no electronic cardholder data storage. Not applicable to e-commerce merchants. Involves 33 questions.

SAQ Type D

SAQ D for Merchants: All merchants who are not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ. Involves 330 questions.

Why Is a PCI DSS SAQ Important?

The Payment Card Industry Security Standards Council (PCI SSC) is an independent body created by the major payment cards (Visa, MasterCard, American Express, Discover, and JCB.). These big brands make the rules. They track data breaches and use their findings to improve and strengthen the PCI framework. 

The self-assessment is often viewed as a “check box” exercise. But it comes back to haunt businesses when a breach occurs. It’s sort of like speeding to get somewhere when you’re running late. You get away with it until you’re caught in a speed trap. Verizon’s 2020 Payment Security Report found that only 27.9% of organizations were 100% compliant with PCI DSS during their interim compliance validation.

Misrepresenting yourself on self-assessment questionnaires and human error lead to data breaches and fines. There’s more on fines below!

PCI DSS controls address common security weaknesses. However, they can be exploited when they’re not implemented correctly. 

Some common PCI DSS control failures include: 

  • Ignoring Requirement 2.1 and not changing default system settings and passwords 
  • Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website, laid out in Requirement 6.5
  • Inadequate scoping! For example, excluding part of the network resulting in the cardholder data environment being unknowingly exposed to weaknesses in other network parts that haven’t been secured according to PCI DSS. For instance, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing outlined in requirements 1.2, 1.3 and 1.4

Being compliant with PCI DSS at one point in time doesn’t prevent changes in your environment. Are you adding new software? Processing more payments? Moving online and ditching the storefront? Changes impact your compliance, which can affect your security. To ensure PCI DSS controls continue to be implemented correctly, compliance should be part of business-as-usual (BAU) activities. Doing so enables you to monitor the effectiveness of your organization’s security controls on an ongoing basis and maintain your PCI DSS compliance between assessments.

Attestation of Compliance (AoC)

Each SAQ includes an Attestation of Compliance (AoC) form, which you must complete once you have met all of the requirements for your applicable SAQ. Payment processors, gateways, acquiring banks, customers, prospects and other interested parties requiring evidence of actual PCI DSS compliance request this document.


Remember when you were running late and law enforcement snapped you on photo radar? You got caught breaking the rules and there’s a fine to pay. The amount depends on how much you went over the speed limit. PCI fines work similarly.

If you don’t meet the PCI standards for compliance, you could face penalties ranging between $5,000 and $100,000 a month. The payment brands may, at their discretion, fine an acquiring bank for violations. The banks typically transfer this fine to the merchant. Banks can also terminate your relationship or increase transaction fees. It’s hard to run a business without credit cards these days! So PCI DSS compliance can make or break a business. 

How Tugboat Can Help With PCI Compliance

After building your organization and establishing trust with your customers, don’t gamble with their sensitive information. Because compromised data negatively impacts consumers, merchants and financial institutions.

We’re here to help you spin your plates more efficiently, so you can get back to selling more. Tugboat Logic helps you fill in the blanks with our PCI DSS framework, including policies, controls, templates and guidance. Your scoping survey and assessment connect everything you need and build out your evidence tasks. The automated software allows users to monitor their PCI DSS compliance as part of business-as-usual activities. And we have PCI DSS experts on staff, easily accessible to you. 

If you’re looking for more information and practical advice on how to pick which PCI Self-Assessment Questionnaire is best for you, we’re here to help! So feel free to get in touch with us. And, if you have time, we’d be happy to show you around our Security Assurance platform or set you up with a free trial.