704-989-5398 info@xbsglobal.net

PCI SAQ – Eliminate Unnecessary Costs with these tips

by | Aug 7, 2018

The PCI SAQ or PCI Self Assessment Questionnaire is a core component of PCI compliance for all credit and debit card processing merchants.   The SAQ is a validation tool to assist the merchant in self evaluating  PCI DSS compliance.

There are nine versions of the SAQ with the release of PCI DSS 3.2, each with differing eligibility merchant criteria and levels of complexity. The PCI SAQ should be made available to the merchant from their payment processor or merchant account provider.

The monthly PCI DSS compliance fee  charged to the merchant provides access to the self assessment questionnaire should also include ASV scanning if required.   ASV necessity is also dependent on the SAQ version the merchant is eligible for.

PCI Non Compliance Fees and the PCI SAQ

Whether you are a B2B merchant or retail, you should know – PCI DSS compliance and verification, and the PCI SAQ or Self Assessment Questionnaire, is an annual requirement.  Those merchants who forget to reassess will  pay their payment processor PCI non compliance fees monthly – IN ADDITION to their standard monthly PCI DSS compliance fee.

As we review statements here at XBS Global, we are seeing monthly non compliance fees that range anywhere from $10 to $50.  I suspect there are merchants paying more.

The additional extra costs incurred for non compliance is the least of it of course.  Non compliant merchants are susceptible to liability for a breach of credit card data.  In the instance of breach, fines from the card brands are passed on to the merchant account provider and eventually, to the merchant.

The Payment Card Industry (PCI) Self Assessment Questionnaire (SAQ) has caused a lot of angst for merchants attempting to keep up with PCI DSS (Payment Card Industry Data Security Standards). The standards are proving to be a moving target, but with the release of PCI DSS 3.2 the security council has noted that standards are now considered mature. Future revisions will be based on newly identified risks.

For the most recent information and updates merchants should definitely turn to the PCI Security Standards Council.

Card data security will not be going away.  Card data references any personally identifiable data associated with the cardholder such as account numbers, social security numbers, even names, addresses, expiration dates, etc.

The Sony breach in April 2011 was staggering and sobering, as was the May 2011 breach at Michael’s stores nationwide (under investigation by the US Secret Service!). We noted this breach years ago when this PCI SAQ blog was initially released.  The breaches since have been numerous and large including Equifax, Saks, Orbitz and the list goes on.

Unless you are using a payments aggregator such as PayPal or Square – if you have not taken the PCI SAQ then you are not PCI Compliant.  Not a risk worth taking

Your merchant services account provider is responsible for assisting you in the Self Assessment Questionnaire.  XBS Global partners with ControlScan for all of our payment processing merchants security needs.  We can assist you in completing the PCI SAQ and any further requirements based on the version you are eligible to complete.

Remember – for the vast number of merchants who feel they are being squeezed by credit card processing fees – here is one you can eliminate.  PCI DSS non compliance fees are triggered in most cases, by merchants simply not completing the PCI SAQ.


  1. Read your merchant statement every month!
  2. Take the PCI SAQ every year – it’s easier the second time around.
  3. Look to your merchant account provider for assistance in completing the PCI SAQ and ensuring your are compliant with PCI DSS.