Facilitated Self-Assessment Questionnaire (SAQ)

Get help with the complexities of PCI DSS SAQ

The PCI SAQ program can challenge both large and small organizations. Certain large complex organizations with diversified payment channels (e.g., universities and state governments) struggle to manage their responsibility for the consolidated SAQ programs of their retail channels. Many smaller organizations need a little extra guidance to navigate the SAQ process or want the efficiency of using a single vendor for their testing and reporting.  

Self-Assessments: Sign at Your Own Risk

The depth and breadth of the SAQ is dependent on where and how your organization interacts with cardholder data, but two things are always the same:

  • A SAQ is a pass/fail test, and to pass, you must be able to say “yes” to every applicable question (or have a documented compensating control).
  • The SAQ must be signed, dated and available for review if requested by your Acquirer (or customer, in the case of a service provider).

Simple enough? Sure, particularly if you are well versed in the PCI DSS, maintain good documentation on your systems, and stay informed on evolving control standards and threat vectors. It’s even easier if you have someone on staff who has completed the PCI Security Standards Council’s Internal Security Assessor training course. But for clients needing more, Coalfire can help.

Self-Assessments Done Right:  A Facilitated SAQ

We believe every one of our clients is worth protecting and that a self-assessment should add value. That’s why we created the PCI DSS Facilitated SAQ service. Each Coalfire Facilitated SAQ starts with a fully trained Coalfire assessor who takes the time to learn your business and understand what you most need out of the project. No two projects are the same because no two client situations are identical. Our job is to get you the information and documentation you need to make good decisions and protect your business.

Your SAQ, Only Better

With a Facilitated SAQ, Coalfire assessors help with several initiatives, including:

  • Scoping the Cardholder Data Environment (CDE) and providing recommendations on how to minimize the CDE from a PCI DSS perspective.
  • Selecting the appropriate SAQ assessment form.
  • Reviewing each of the controls and explaining any hard-to-understand requirements.
  • Clarifying the evidence required to answer “yes” on each required control.

At the end of a Facilitated SAQ project, you’ll be able to create a completed SAQ or a gap report that includes recommendations for closing the gaps.

Enterprise-Class SAQ

Many large organizations, such as universities and state governments, must manage a diversified, complex group of small merchants. These organizations are often the designated responsible fiduciary for their acquiring bank. Coalfire has a special consolidated SAQ program that simplifies this compliance burden by leveraging our Facilitated and Attested SAQ solutions.

For small and large organizations looking to manage the PCI DSS self-assessment questionnaire (SAQ) program, our CoalfireOne℠ platform provides the testing, documentation and reporting tools to simplify your compliance process. This ensures a quick, easy, and safe way to manage compliance for Level 2, 3 and 4 merchants and Level 2 service providers.

Attested SAQ – Meeting Your Acquirers Expanding Requirements

Some merchant banks and processors are now requiring their Level 2 merchant customers to submit an Attested SAQ, signed not only by the merchant themselves, but also by the QSA. An Attested SAQ goes into greater depth than a Facilitated SAQ, but not as much as a Report on Compliance (ROC). It provides your acquirer with the additional assurance that your PCI DSS compliance program has been assessed and guided by Coalfire QSAs. Our Attested SAQ service addresses this need. When completing an Attested SAQ, you receive the full benefits of our expertise and experience working with both SAQ and ROC clients.

Why Choose Coalfire for your Facilitated SAQ

Since our founding in 2001, Coalfire has established itself as a pure-play, vendor-neutral cybersecurity advisory firm serving as a trusted advisor to executives, legal counsel, compliance managers and security practitioners across numerous industries.

Each Coalfire project is led by a credentialed, industry-savvy senior director and supported by consultants armed with the methodologies, insights and know-how accumulated through service to over 1,400 clients annually.