Is a business required to complete a PCI SAQ?
First, what is a PCI SAQ? The acronym stands for Payment Card Industry Self-Assessment Questionnaire. It is a method in which the PCI DSS (pcisecuritystandards.org) determines if a business is upholding the security standards agreed to when applying to accept credit card transactions as a form of payment. Large merchants with over 1 million card transactions per year are required to complete a Report on Compliance but smaller merchants can perform a self-assessment to attest to their compliance.
It is important to complete the SAQ to help ensure the business is doing all it can to protect cardholder data or credit card information processed by the point of sale (POS) system. Also, most if not all processors have an increased fee if the SAQ is not completed.
There are different SAQs based on the type of business and the type of system being used to process credit cards. The online portal used to complete the SAQ will ask a series of questions to determine which SAQ is appropriate for the business. The payments provider or software provider may be needed to provide the correct identifying information about the POS system. This information is also important because it determines the number of questions asked by the SAQ which can number anywhere from 40 to 300.
So, the simple answer is, yes, a business is required to complete the PCI SAQ? But, the cost savings may be the biggest driving factor to an independent business to complete this task.