There seems to be a lot of confusion over SAQ C and when it can and should be used. SAQ C was developed for the franchise industry, particularly the fast food and small retailer. The idea was that the franchisee would implement the franchise preferred point of sale (POS) solution, connect that POS solution to the Internet and start processing transactions.
Before going any further I must add the following caveat to this post. While I have based this post on all of the training and discussion over the years with the PCI SSC regarding SAQ C, this post is only my opinion and does not mean I am correct. The only official answer is the one you get from your acquiring bank. It is up to your acquiring bank to determine what SAQ your organization should use for your PCI assessment.
To refresh everyone’s memory about SAQ C, the criteria for using SAQ C are as follows.
-
“Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
-
The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
-
The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;
-
Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
-
Your company does not store cardholder data in electronic format.”
The key to understanding SAQ C are the second and third bullets. The third bullet indicates that the POS application cannot be connected to any other locations. The second bullet indicates that the payment application cannot be connected to any other systems within the organization’s processing environment. The bottom line is that the solution must be stand alone and fully segmented away from any other applications and systems.
These criteria can be easily met by solutions such as the MICROS e7 POS solution but can run afoul of integrated systems such as the MICROS RES or other similar fully integrated solutions that offer accounting, timekeeping, order management, inventory and other applications in addition to POS.
The MICROS RES solution can use SAQ C if and only if the POS application can be logically or physically segmented from the rest of the MICROS RES applications. However, in my experience, the MICROS RES and similar applications must operate as a single, integrated solution and segmentation is not possible and therefore SAQ C cannot be used.
Another place where SAQ C cannot be used is where the franchisee is linking all of their locations together back to a corporate office. I encounter this a lot where the franchisee has multiple locations and all of those locations are on a wide area network (WAN) connected to their corporate office. Transactions may be flowing directly out from the retail locations or funneled back to corporate and then out to the transaction processor. Corporate may also be monitoring the local location networks and managing the local locations’ systems and applications.
I also encounter situations where the franchisee is connected to the franchise corporate office for the ordering of inventory and the collection of sales information. The most common occurrences of this situation is with fast food franchise operations and in the lodging industry where locations are connected to the franchise corporate networks for passing information to/from the local systems. The corporate franchise may also be managing and maintaining the franchisee systems as well as part of the franchise agreement. All of these situations also preclude the use of SAQ C.
The bottom line is that SAQ C can only be used in situations where you have a LAN-based POS and no other applications or network connectivity other than to the Internet for the sole purpose of processing transactions.
So what does a merchant do when SAQ C is not an option? Sorry, but in my humble opinion, the merchant version of SAQ D is your only option when you have an integrated POS solution on a network.
Again, as a final reminder, it really does not matter what I think as all of this is up to your acquiring bank to officially approve. I am just giving my thoughts as to how I think things should work based on my training.
PCI Guru 