PCI DSS facilitated self-assessment questionnaire (SAQ)

Connect with us

The PCI SAQ program can challenge large and small organizations. Some large, complex organizations with diversified payment channels (e.g., higher education and state government) struggle to manage the consolidated SAQ programs for their retail channels. Many smaller organizations need extra guidance to navigate the SAQ process or want the efficiency of using a single vendor for testing and reporting.

Self-assessments: Sign at your own risk

The depth and breadth of the SAQ is dependent on where and how your organization interacts with cardholder data, but two things are always the same:

  • A SAQ is a pass/fail test, and to pass, you must be able to say “yes” to every applicable question (or have a documented compensating control).
  • The SAQ must be signed, dated, and available for review if requested by your acquirer (or customer, in the case of a service provider).

Simple enough? Sure, particularly if you are well-versed in the PCI DSS, maintain good documentation on your systems, and stay informed on evolving control standards and threat vectors. It’s even easier if you have someone on staff who has completed the PCI SSC’s Internal Security Assessor training course. But for clients that need support, we can help.

Self-assessments done right: A facilitated SAQ

We believe every client is worth protecting and that a self-assessment should add value. That’s why we created the PCI DSS facilitated SAQ service. Each Coalfire-facilitated SAQ starts with a fully trained assessor who takes the time to learn your business and understand your project goals. No two projects are the same because no two client situations are identical. Our job is to get you the information and documentation you need to make good decisions and protect your business.

Your SAQ, only better

With a facilitated SAQ, our assessors help with several initiatives:

  • Scoping the cardholder data environment (CDE) and providing recommendations on how to minimize the CDE from a PCI DSS perspective
  • Selecting the appropriate SAQ assessment form
  • Reviewing each control and explaining complex requirements
  • Clarifying the evidence required to answer “yes” on each required control

At the end of a facilitated SAQ project, you’ll be able to create a completed SAQ or a gap report that includes recommendations and plans for closing the gaps.

Enterprise-class SAQ

Many large organizations, such as higher education institutions and state governments, must manage a diversified, complex group of small merchants. These organizations are often the designated responsible fiduciary for their acquiring bank. We have a special consolidated SAQ program that simplifies this compliance burden by leveraging our facilitated and attested SAQ solutions.

Attested SAQ: Meet your acquirers’ expanding requirements

Some merchant banks and processors now require their Level 2 merchant customers to submit an attested SAQ, signed not only by the merchant themselves, but also by the QSA. An attested SAQ goes into greater depth than a facilitated SAQ, but not as much as a report on compliance (ROC). It provides your acquirer with the additional assurance that your PCI DSS compliance program has been assessed and guided by Coalfire QSAs. Our attested SAQ service addresses this need. When completing an attested SAQ, you receive the full benefits of our expertise and experience working with SAQ and ROC clients.

Why choose Coalfire for your facilitated SAQ?

Since our founding in 2001, we have established ourselves as a pure-play, vendor-neutral cybersecurity advisory firm serving as a trusted advisor to executives, legal counsel, compliance managers, and security practitioners across numerous industries.

Each project is led by a credentialed, industry-savvy senior director and supported by consultants armed with the methodologies, insights, and know-how accumulated through service to more than 1,800 clients annually.