SAQ (Self-Assessment Questionnaire)
Simplified Self Assessment for Hotels
PCI DSS (Payment Card Industry Data Security Standard, short: PCI) is the credit card associations' security standard with strict requirements to ensure careful and secure handling of credit card data. The standard was mandated by the five major credit card companies (American Express, JCB, MasterCard, Discover Financial Services and Visa) and is comprised of security requirements with the following objectives:
- Setting up and maintaining a protected network
- Protecting stored and transmitted cardholder data
- Setting up and maintaining a vulnerability management programme
- Implementing effective guidelines on access control
- Regular monitoring and testing of the IT infrastructure
- Developing and enforcing an information security policy
PCI DSS is comprised of twelve security requirements. Organisations are classified as PCI compliant if they comply with the following standards:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel and contract partners
The PCI DSS applies to all companies that process, store and/or transmit credit card data. Consequently, each company that accepts credit card payments must satisfy the security requirements imposed by the credit card organisations and therefore comply with the PCI DSS. Neither the size of the company nor the annual volume of credit card transactions processed affect a company’s obligation to validate PCI DSS compliance.
Businesses that do not comply with PCI DSS can be fined by the credit card associations or their acquirer (merchant bank or payment service provider) and face refusal of service or cancellation of their credit card acceptance contract. Furthermore, non-compliant businesses are liable for damages in case of theft or compromise of their customers' credit card data.
The binding IT security requirements of PCI DSS were introduced to curb payment card fraud. There are several advantages to rigorous security measures when processing payment card data:
- Improved data security and customer protection
- Increased customer confidence, which can help raise the amount of credit card transfers and overall turnover
- Improved protection against financial damages and indemnity payments
- Protection of your company's image
- Evaluation of security level of systems that store, process and/or transmit cardholder data
- Minimising and avoiding data helps reduce company risks
- Network segmentation reduces costs of maintaining PCI compliance
Businesses that can prove PCI DSS compliance obtain a compliance certificate. Those businesses have successfully proven that they are familiar and compliant with the credit card companies' security requirements for handling credit card data. They have thereby acquired the status PCI DSS "compliant" and are protected under the so-called "Safe-Harbour Rule". In case of data theft or compromise, such a business can be partially or fully released of any fines by card associations or acquirer after a forensic investigation has been conducted.
Your company processes, stores or transmits credit card data and/or accepts credit card payments and must therefore comply with the PCI DSS and validate its compliance. For this reason, your acquirer has contacted you to ask for proof of compliance.
PCI DSS compliance has to be validated at least once a year. Since validation of PCI DSS compliance involves documenting the current state of credit card processing in your business, you are required to update your compliance validation every time a change occurs to the technology or the ways in which you accept and process card payments, regardless of when you last validated PCI DSS compliance. You are required to maintain compliance with PCI DSS at any time.
I outsourced processing of credit card transactions to a third-party service provider. Why do I still have to validate PCI DSS compliance?
Even if you have outsourced storing, processing and transmission of cardholder data to a third-party service provider, you have to validate PCI DSS compliance in order to document that your service provider is PCI compliant, and that you regularly verify your service provider's PCI status. Your acquirer generally requires you to provide a PCI DSS self assessment in which you document the ways in which you process credit card payments and validate compliance with the card associations' security requirements.
The card associations MasterCard and Visa have released a list of all PCI DSS compliant service providers online:
You can also contact your service provider directly to request their PCI DSSS Attestation of Compliance (AOC).
Any business that offers credit card payments is required to comply with PCI DSS and validate compliance. If you have outsourced credit card processing to a PCI DSS compliant service provider and do not store, process or transmit credit card data on your own IT systems, you are eligible for a simplified validation process.
Why do I have to address credit card payments through a different acquirer in my PCI DSS compliance validation?
You validate secure handling of cardholder data for your business, regardless of who your acquirer is. Accordingly, the compliance certificate serves as a universal proof of your business's secure handling of cardholder data.
MOTO - What do I do if a customer sends me his or her credit card data by e-mail without being asked?
In the event of unsolicited sending of full credit card data, you should print out the e-mail promptly and then delete it immediately. Please note that any copies remaining on the server or in the trash can of the e-mail program must be deleted irretrievably. Then inform the affected customer that the transmission of credit card data by e-mail is very insecure and that he or she should refrain from doing so in the future.
The order can then be completed using the paper document. It is recommended that you black out the credit card data after transmission or dispose of the document securely (e.g. by means of a document shredder). Please note: If paper documents containing full credit card data are stored, they must be kept in accordance with requirements 9.5 - 9.8.
The PC fax function integrates fax reception into the e-mail program. The credit card data is then available in PDF format, which corresponds to storing credit card data on your systems. Although the storage of credit card data is generally permitted, it must be secured with considerable additional technical and organisational extra effort (see SAQ D). We therefore strongly advise against using PC fax functions to accept orders. Please use a classic fax with paper reception instead. It is recommended that you black out the credit card data after transmission or dispose of the document securely (e.g. by means of a document shredder). Please note: If paper documents containing complete credit card data are stored, they must be kept in accordance with requirements 9.5 - 9.8.
Documents containing credit card data must be stored securely to ensure protection against unauthorised access by third parties. A safe or a similarly secure document cabinet is recommended for secure storage. If appropriate protection cannot be maintained, the document must be destroyed irretrievably by a document shredder, for example. For more detailed information on the safe storage of paper documents containing full credit card data, see requirements 9.5-9.8.
Please review your login data:
- Have you entered the same email address you provided as your user name?
- Have you taken into account that the password is case sensitive?
- Did you accidentally include a blank space?
If you have verified that you are using the correct login data and still cannot log in, please click on "Request new password".
Have you already registered on the PCI DSS platform? If you have, the initial login data we sent you is no longer valid. Please use the email address you provided as your user name (at which you also receive the reminder emails) and the personal password you created. If you have not yet used the initial data but cannot log in, please contact the PCI Competence Center.
Please request a new password via the PCI DSS platform. Click on "Request new password" and enter the email address you have already provided as your user name. We will send you an email with your new password.
You can provide one specific contact person responsible for PCI during your registration on the platform. Should you require to specify a different contact or multiple contacts later on, please contact the PCI Competence Center.
Payment processing software is a computer program that runs on your own IT systems and processes your customers' credit card payments. It must not be confused with a payment page, which is a payment module of your payment service provider, into which the customers enter their credit card data in order to make a payment. In this case, the credit card data is not stored, processed or transmitted via your own IT systems.
Third-party service providers are, for example, application service providers (payment gateways), web hosting service providers, (service providers that offer server space, network connectivity and internet connectivity and maintenance), as well as payment service providers.
An acquirer, also called merchant bank, is the entity that processes credit or debit card payments on your behalf as part of a credit card acceptance contract. Your payment service provider can act as your acquirer as well.
Point of sale ist a payment system in which the customers makes a credit card payment at the merchant's location. Proof of the customers' identity is provided by their signature. The point of sale can be a stand-alone terminal that is connected to a payment service provider via telephone line, or it can be a payment system that is connected to the register and/or the internet.
JCB (Japan Credit Bureau) and CUP (China Union Pay) are credit cards that are prevalent in Asia. The Discover Card is an American credit card.
I do not know the exact amount of my business's annual credit card transactions. What am I supposed to answer?
Please give an estimate of your annual credit card transactions if you do not know the exact amount.
SAQ (Self-Assessment Questionnaire)
Please specify the location(s) for each branch of your business that requires you to provide proof of PCI DSS compliance.
Our SAQ selection assistant helps you determine the SAQ applicable to you by asking you specific questions about the ways in which you accept and process card payments in your business.
By completing a self-assessment questionnaire (SAQ), you can validate compliance with PCI DSS.
The questions of SAQ A do not apply to me, since I have outsourced all processing of credit card data. What am I supposed to answer?
You can answer questions that are not applicable to your business with "N/A" (not applicable). Please comment with a short explanation as to why the question is not applicable to your business. The focus of SAQ A lies on the PCI compliance of your payment service provider. You are required to regularly verify that your payment service provider is PCI compliant and validate compliance by completing an SAQ.
N/A stands for "not applicable" and can be used to answer questions of the SAQ that do not apply to your business. If you select N/A as an answer, you will be asked to provide an explanation as to why the question is not applicable to your business.
If you are unable to satisfy technological specifications of a requirement but sufficiently remediate the resulting risk in another way, please select "compensating control" as your answer. In this case, you will be asked to provide more detailed information on the compensating security measures after completion of the SAQ.
Simplified Self Assessment for Hotels
- The hotel offers only card present transactions (the cardholder is present during the payment process).
- The hotel has a merchant level of 4, i.e. a maximum of one million Visa card present transactions are carried out per year (NO e-commerce or mail order/telephone order transactions!).
If your hotel meets those criteria, you should automatically be offered the Simplified Self Assessment for Hotels.
If your hotel is eligible for the Simplified Self Assessment, you will be asked to confirm three statements regarding your handling of credit card data:
- No sensitive cardholder data – neither track data or chip data, nor CVV/CVV2 or PIN – is electronically stored.
- No no-show transactions are processed (if the booked accommodation is cancelled or fails to be claimed). Should no-show transactions be processed, they are processed exclusively in accordance with the Visa Core Rules and Visa Product and Service Rules
- Electronic access to credit card data (for example, through booking portals or hotel management software) is not possible. Should electronic access be possible, all vendor-specific default passwords of systems belonging to the cardholder data environment (especially hotel management software) are replaced with secure custom passwords.
Furthermore, you will be required to specify all third party service providers who store, process, and/or transmit cardholder data on your behalf, for example: booking portals, acquirers (merchant banks), payment terminal providers, payment service providers, etc.
If your customers' credit card data is stored, transmitted or processed via your own IT systems, and your IT systems or connected systems are accessible from the public internet, you are required to have an Approved Scanning Vendor (ASV) perform vulnerability scans on your systems every 90 days in order to test for security vulnerabilities.
I have completed SAQ C or D with the status PCI compliant, yet it still says on the platform that I have not obtained the status PCI compliant. What else do I have to do?
Selection of SAQ C or D implies that your customers' credit card data is stored, processed or transmitted via your own IT systems, which might require you to have vulnerability scans performed in order to be PCI compliant. Our PCI Competence Center is happy to help you clarify whether or not this is the case.
I have had vulnerability scans performed by an ASV. Why do I keep being notified that I have not yet obtained the status PCI compliant?
If your ASV informs you that a vulnerability scan validated that you are PCI compliant, this information has not yet been added to your data set on the platform. If you did not have the vulnerability scan performed by the usd AG, you will have to manually upload and save the vulnerability scan report to the platform. Please log into the PCI platform and upload the Executive Summary Report, which is comprised of the "Attestation of Scan Compliance" and the "Executive Summary", under the section "Your Scans".
If you have completed either self-assessment questionnaire A, B or C-VT and obtained the status PCI compliant, you are welcome to implement a compliance seal into your online shop. The seal is provided to you free of charge by your acquirer's partner, the usd AG. Please use the link under section "PCI DSS vulnerability scans" to register with the usd AG. Should you have any questions, please contact the usd AG's PCI Competence Center at +49 6102 8631-90 or email@example.com
If you have any questions please contact our PCI Competence Center:
Phone: +49 6102 8631-740 | E-mail: firstname.lastname@example.org
Available Monday to Friday between 8:00 and 18:00 hrs