Question

I’m working on PCI DSS compliance for a company with multiple physical and online sites. I’m unsure whether we need to complete a separate Self-Assessment Questionnaire (SAQ) for each site or if a single SAQ can cover all locations. Could someone clarify this requirement? Does it depend on factors like payment processing methods or network segmentation?

Answer 1

When managing PCI DSS compliance for a company with multiple physical and online sites, determining whether to complete a separate Self-Assessment Questionnaire (SAQ) for each site depends on several factors, including your organizational structure, payment processing methods, and network segmentation.

Single SAQ vs. Multiple SAQs

• Single SAQ: If all sites operate under a unified payment processing environment with consistent security controls and policies, and if they share the same Tax Identification Number (TIN), you may be able to complete a single SAQ that encompasses all locations. This approach assumes that the security measures and compliance status are uniform across all sites.

• Multiple SAQs: If different sites have varying payment processing methods, distinct security controls, or operate under different legal entities with separate TINs, it may be necessary to complete separate SAQs for each site or processing environment. This ensures that the specific compliance requirements pertinent to each environment are adequately addressed.

Factors Influencing the Decision

1. Payment Processing Methods: Different methods (e.g., e-commerce, mail order, in-person transactions) may have distinct compliance requirements, potentially necessitating different SAQs.

2. Network Segmentation: Proper network segmentation can limit the scope of PCI DSS requirements to specific parts of your network. If sites are segmented and operate independently, separate SAQs might be appropriate. Conversely, if sites are interconnected without proper segmentation, a single SAQ covering the entire network may be required.

3. Organizational Structure: The legal and operational structure of your organization, including how sites are managed and whether they share the same TIN, can influence the number of SAQs needed.

Recommendations

• Consult with Acquirer or Payment Brands: Engage with your acquiring bank or the relevant payment brands to obtain guidance tailored to your specific situation. They can provide clarity on whether a single SAQ suffices or if multiple SAQs are necessary.

• Review PCI DSS Guidance: Refer to official PCI DSS documentation, such as the "Understanding SAQs for PCI DSS" guide, to gain insights into SAQ applicability based on different merchant environments.

• Ensure Accurate Scoping: Accurately define the scope of your cardholder data environment (CDE) and assess how each site interacts with cardholder data. This assessment is crucial in determining the appropriate SAQ(s) to complete.