How to Do a PCI Self Assessment

How to Do a PCI Self Assessment

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 4.56 out of 5)

Don’t get caught with thousands of dollars in fines for not properly completing your PCI DSS annual validation. In this article, we’ll help you figure out if you need to do a PCI DSS self assessment, how to do one and which self-assessment questionnaire is right for you…

Any business owner out there knows that the joys of entrepreneurship don’t come without headaches. Managing taxes, employees, overhead and so on can pile up and make you feel like you don’t know what’s up. Figuring out PCI DSS and maintaining compliance is another task many businesses face. Verizon’s 2020 Payment Security Report shows that only 27.9% of businesses demonstrated full compliance in 2019. That’s a significant decline form the 55.4% that reported full compliance in 2016!

Part of the PCI process is doing a PCI self-assessment questionnaire during your annual validation. There are different questionnaires that apply to different circumstances and sometimes it’s not even necessary to do a self assessment.

In this article, we’ll look at PCI DSS and walk you through the PCI self-assessment questionnaire process to ensure you spending your time checking off the right boxes.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standards. PCI DSS, in simple terms, is a set of security standards meant to make certain that all organizations and businesses that manage credit card cardholder data in any way do so securely. This includes processing, storing, and transmitting data.

These standards are backed by the PCI Security Standards Council, which consists of the five major credit companies:

  • Visa
  • JCB
  • American Express
  • Discover
  • Mastercard

If you don’t meet these standards, you will face the wrath of this Marvel-like team of super credit card companies. Yes, you will face justice — but instead of Thor’s hammer, you’ll be hit with some hefty fines. These fines can be anywhere from $5,000 to $100,000 per month depending on the conditions.

These security standards are built around 12 PCI DSS requirements. The requirements embody the objectives of PCI Security Standards Council. They include:

Requirement 1 — Implement a firewall configuration to thwart malicious requests and safeguard cardholder data from unapproved users.

Requirement 2 — Change the default settings (including default passwords) in your payment card infrastructure when you receive it from your vendor.

Requirement 3 — Protect stored cardholder data by rendering said data unreadable using encryption and hashing.

Requirement 4 — Ensure that cardholder data is encrypted while in transit with the use of an TLS/SSL certificate.

Requirement 5 — Implement and maintain a defense against malware with anti-malware/antivirus software.

Requirement 6 — Ensure all systems and applications are secure by having a process to maintain software updates to patch vulnerabilities as they arise.

Requirement 7 — Limit access to cardholder data on a need-to-know basis via access controls.

Requirement 8 — Assign unique IDs to all personnel with access to cardholder data to establish authorization levels and hold personnel responsible for their roles.

Requirement 9 — Protect cardholder data by limiting access to the physical systems that contain said data.

Requirement 10 —  Develop a process to track and monitor all actions around the access to cardholder data and interconnecting networks.

Requirement 11 — Create and maintain a process to consistently test all security systems.

Requirement 12 — Establish and sustain an information security policy that applies to every staff member within your organization. 

How to Maintain PCI Compliance

Once you’re able to meet the appropriate number of security requirements, you’ll be expected to maintain PCI compliance. The number of security requirements your expected to meet may vary based on your level of involvement in handling cardholder data — i.e., if you use a third-party security solution, you may not have to meet every requirement. For many organizations, maintaining PCI compliance is done with an annual validation process.

And I’m sure after reading “$5,000 to $100,000 per month” in fines, you don’t want to screw that annual validation up. We also know that you are here because you want to know “how to do a PCI self assessment,” but it’s important to go through these first few steps before getting to the self-assessment portion.

The first step in the process of nailing your annual validation is knowing what PCI level you are. It’s important to know what PCI level you fall under because you will require a different self-assessment questionnaire based on your level and how you accept payment cards. The PCI levels are as follows:

Level 1 MerchantAny merchant that processes more than 6 million Visa or Mastercard transactions per year, processes over 2.5 million American Express transactions per year or have suffered a data breach. The 5 major credit card companies also reserve the right to label you a Level 1 Merchant at their discretion.
Level 2 MerchantAny merchant that processes 1-6 million transactions per year.
Level 3 MerchantAny merchant that processes between 20,000 and 1 million ecommerce transactions or that processes below 1 million total transactions per year.
Level 4 MerchantAny merchant processing up to 1 million total transactions or fewer than 20,000 ecommerce transactions per year.

Which PCI Self-Assessment Questionnaire Should You Choose?

Once you know your level, you can figure out which PCI self-assessment questionnaire (SAQ) to choose. If you’re a PCI Level 1 Merchant, you will not need a PCI self-assessment questionnaire. Your road is a bit more complex. Your annual validation will be conducted in-person by a Qualified Security Assessor. For all of the Level 2-4 merchants, keep reading as the rest of this applies to you.

How to Do a PCI Self Assessment

Okay we made it! On to the fun stuff — how to do a PCI self assessment. This a crucial step in the annual validation process for merchants who are levels 2-4.  All you need to do is:

  1. Download the correct PCI self-assessment questionnaire and answer the provided questions.
  2. Complete an Attestation of Compliance (more on that momentarily).

It’s vital you answer the SAQ questions as accurately and honestly as possible. Submitting an inaccurate self assessment can lead to… you guessed it… more fines! If you do answer a no on the questionnaire, it’s okay, but you will be contacted to take the appropriate actions to turn that no into a yes.

As I mentioned moments ago, in addition to the questionnaire, you’ll also need to complete an Attestation of Compliance. This attestation will prove that you’ve completed the self-assessment questionnaire. The correct Attestation of Compliance and directions how to complete it will be included with the self-assessment questionnaire you download.

Figuring Out Which PCI DSS Self-Assessment Questionnaire to Download

As we mentioned, there are multiple PCI DSS self-assessment questionnaires to choose from and you need to know which to select. These are for level 2-4 PCI merchants and are sorted by “how you accept payment cards.”

You’ll find links to the self-assessment questionnaires below, so you can download the correct one for your business.

Self-Assessment QuestionnaireDescription of Appropriate Merchant (Based on How You Accept Payment Cards)
AMerchant does not handle in-person/physical card transactions Merchant uses ecommerce, email, mail or telephone transactions.All cardholder data functions are outsourced to a PCI DSS compliant third-party vendor.Merchant does not possess cardholder data (storage, processes or transmission) on their system or physical locations. Not applicable to face-to-face channels
A-EPMerchant runs their card payments solely through an ecommerce platform.All payment processing is outsourced to third parties who are PCI DSS validated.Merchant uses ecommerce site that does not directly collect cardholder data but does have the ability to affect the security of the payment transaction.Merchant does not possess cardholder data (storage, processes or transmission) on their system or physical locations. Applicable only to ecommerce channels
BMerchant solely utilizes imprint machines or separate dial-out terminals.Both imprint machines and separate dial-out terminals should be holding zero electronic cardholder data storage. Not applicable to ecommerce channels
B-IPMerchant solely utilizes PIN Transaction Security-Approved payment terminals “with an IP connection to the payment processor” (as of the February 2014 update).This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
C-VTMerchant physically enters transactions individually into a digital terminal solution.Terminal solution is supplied and hosted by third-party vendor that is PCI DSS validated.  This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
CMerchant uses an online payment application system. This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
P2PE-HWMerchant who solely utilize “hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution.” This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
D (Merchant)A merchant that does not fit in any of the previous groups.  
D (Service Provider)A service provider who has been deemed eligible to take a self-assessment questionnaire by one of the credit card companies.

If you still are unsure of what self-assessment questionnaire to go with, the PCI Security Council put together a helpful infographic (shown below) to help you figure it out. If all else fails, the council also recommends contacting your credit card company or acquiring bank for assistance.

Which PCI DSS Self-Assessment Best Applies to Your Situation?

Review the chart below to see which PCI DSS SAQ is applicable to your business:

PCI self assessment questionnaire selection instructions graphic
A screenshot of the PCI DSS Self-Assessment Questionnaire Selection Instructions. Infographic credit to

Ensure You Always Nail Your Self Assessment with a PCI-Compliance Scanner Tool

While completing a PCI DSS self-assessment questionnaire can be nerve wracking, there’s a way to relieve that anxiety. Ensuring that you are fully PCI complaint going into your annual validation is how you can do it. I know, I know, there are so many complex details to remember and requirements to meet. How does anyone do it?

Fortunately, there are ways to ease the process of becoming and maintaining PCI compliance. Take a tool like HackerGuardian for instance. This is an automated PCI compliance scanner that does nearly all the work for you. HackerGuardian:

  • Scans your entire network for compliance issues,
  • Compiles a report detailing the issues & how to fix them, and then it
  • Organizes everything into a neat final report for you to submit to your acquiring bank.

A tool like HackerGuardian is sure to make the whole PCI DSS compliance process much easier to handle. It also helps you to eliminate any concerns you have with screwing up and getting nailed with one of those nasty fines.

How to Do a PCI Self Assessment —Final Word

Well, we made it. We covered everything from what PCI DSS is right through the entire PCI self-assessment questionnaire process. We hope you now know how to do a PCI self-assessment and can work your way through that process with ease.

If you’re looking for any additional reading material, we’ve got another excellent article that dives deeper into the PCI DSS topic. If you’re interested in assistance with becoming PCI DSS compliant and maintaining that compliance, I do recommend using the HackerGuardian tool as it can really streamline the process for you. Best of luck!

About the author

Danny is a writer and editor with a background in journalism, marketing and communications. He is a tech enthusiast and writes about technology, website security and cyber security.