DISCLAIMER: The following is my opinion on the self-assessment questionnaire (SAQ) process and cannot be relied upon. Only your acquiring bank can definitively tell any merchant which SAQ they should provide to their acquiring bank.
Based on the comments I got back on the first SAQ post, I thought I ought to gather that information together into one location and share my thoughts on what the PCI SSC is thinking. The problem that small and midsized businesses (SMB) are running into is that no one SAQ meets their needs because they have multiple methods of conducting credit card transactions, from face-to-face to telephone to eCommerce. And that is the problem. Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?
Let us face it; SAQ D is just not the SAQ any organization wants to fill out. Organizations are trying to avoid SAQ D like the plague because it is “ROC-lite.” But unfortunately, if your business model does not fit within the strict criteria set forth with any of the other SAQs; your only option is to fill out SAQ D. And that, my friends, is the rub.
But that does not mean that everything in SAQ D applies to your organization. However, before everyone starts marking the majority of requirements in SAQ D “Not Applicable,” let me point out that the requirements in 9 and 12 will always apply to any organization filling out SAQ D regardless of how many ways organizations conduct their credit card transactions.
So how does an organization keep their sanity and fill out SAQ D? In my very humble opinion, you use the other SAQs that apply to your individual transaction types to guide you in filling out SAQ D. For example, your organization has an entirely outsourced eCommerce site (SAQ A), but you also have data entry of phone and mail orders over a PC using the eCommerce site (SAQ C-VT) and you have a portable card terminal that you conduct transactions at seminars (SAQ B). Use the three SAQs (A, B and C-VT) as templates for filling out SAQ D. That does not mean that there will be some other requirements in SAQ D that an organization might need to address. However, the majority of SAQ D will be filled out and then an organization can review their SAQ D to ensure that everything that is relevant is covered.
My work with SMBs has given me an appreciation for why organizations want to avoid SAQ D. SAQ D is not a simple task and takes a lot of time and effort to prepare, both of which SMBs do not necessarily have in abundance. However, if your organization intends to accept credit cards for payment for goods or services, then through your Merchant Agreement with your acquiring bank, you are contractually bound to abide by all relevant PCI standards. So, either you stop accepting credit cards for payment, or you own up to the fact that the PCI standards are just another requirement of doing business in our electronic age.
I wish I had a better answer, but there is not one.
PCI Guru 