GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Payments technology twists, turns, surprises


Industry Update

Fed puts payments in crosshairs

SEAA's welcome return to New Orleans

It's curtains for AmEx key fobs

Visa IPO largest in U.S. history

Interchange fuels ACH interest


GS Advisory Board:
Payments experts weigh in on Visa's IPO - Part II

Advanced functions and the future

Tracy Kitten


Tick tock: Time to comply with PCI

Biff Matthews
CardWare International


Street SmartsSM:
A passion to share

Jason Felts
Advanced Merchant Services

SAQ sun sets on smaller merchants

Michael Petitti

Make a plan to avoid failure

Jeff Fortney
Clearant LLC

Pinpointing compliance issues

David Mertz
Compliance Security Partners LLC

The pinch of PIN debit

Ken Musante
Humboldt Merchant Services

Search for talent made easier

Curt Hensley
CSH Consulting Inc.

Company Profile

Greystone Business Resources Corp.

New Products

Online friend in fraud fight

Company: Compliance Coach Inc.

Customer care for the little guys

InfoStreet Inc.


Destination: Sanity





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 14, 2008  •  Issue 08:04:01

previous next

SAQ sun sets on smaller merchants

By Michael Petitti

In February 2008, the Payment Card Industry (PCI) Security Standards Council (SSC) released version 1.1 of the Self Assessment Questionnaire (SAQ) and announced a sunset date of April 30, 2008, for SAQ version 1.0.

The PCI SSC updated SAQ to align more closely with the PCI Data Security Standard (DSS). The questionnaire was also condensed so merchants are only obligated to answer questions relevant to their particular network. (For more information, see "On track with a new SAQ," The Green Sheet, Feb. 25, 2008, issue 08:02:02)

Depending on the merchant level, it's likely many of your merchant customers use SAQs to validate their compliance with the PCI DSS. The card brands require all merchants be compliant with the PCI DSS. However, they only require that level 1, 2 and 3 merchants validate that fact.

Level 1 merchants must undergo an annual on-site PCI data security assessment and quarterly network scans. Those in levels 2 and 3 must complete SAQs annually and also undergo quarterly network scans. (For more information, see "SAQ changes: Knowing them is imperative," by Ross Federgreen and Ken Musante, The Green Sheet, March 24, 2008, issue 08:03:02)

Currently, the card Associations leave validation requirements for level 4 merchants to the acquirers. The card Associations strongly recommend that level 4 merchants complete SAQs annually and undergo network scans quarterly, but they do not require validation. However, some acquirers do require their level 4 merchants to validate. Regardless, many of your merchants have probably used the SAQ or should be introduced to it because it is an effective tool for measuring PCI compliance.

The sunset date is especially important to your smaller merchant customers whose SAQs may soon expire. Until the closing date, merchants can choose which version of SAQ to complete, and it will remain valid for one year. If merchants' SAQs expire after April 30, 2008, they will need to complete version 1.1.

However, if their SAQs are set to expire before the sunset date, it may still be advantageous for them to complete version 1.1, as some variants consist of significantly fewer questions than version 1.0. To consolidate the process as much as possible and ensure the questionnaire's relevancy, the PCI SSC created four variants of SAQ version 1.1 that apply to different types of merchants.

SAQ version 1.1 A

Variant A consists of 11 questions. Merchants who are eligible to complete SAQ version 1.1 A will possess the following qualifications:

SAQ version 1.1 B

Variant B consists of 21 questions. Merchants who are eligible to complete SAQ version 1.1 B will possess the following qualifications:

Merchants can also qualify for version 1.1 B if they:

SAQ versions 1.1 C and D

Variant C consists of 38 questions. Merchants who are eligible to complete PCI SAQ version 1.1 C will possess the following qualifications:

Variant D consists of 226 questions, one for each requirement subcategory in the PCI DSS. Service providers and any merchants who do not qualify for any of the other variants qualify for SAQ version 1.1 D. In addition, each variant now includes a signature page that requires merchants to attest they are eligible to complete that particular variant of the questionnaire and all of the answers they provide are truthful and accurate.

With this change, now is a good time to speak with your customers about PCI compliance and validation procedures. You could also consider expanding your portfolio to offer them quarterly network scans by partnering with a company that specializes in compliance management solutions for the payments industry.

Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios