SAQ (Self-Assessment Questionnaire)
Simplified Self Assessment for Hotels
PCI DSS (Payment Card Industry Data Security Standard) is the credit card organisations' security standard with strict requirements to ensure careful and secure handling of credit card data. The standard was mandated by the five major credit card companies (Visa, MasterCard, American Express, JCB, Discover Financial Services) and is comprised of security requirements with the following objectives:
- Setting up and maintaining a protected network
- Protecting stored and transmitted cardholder data
- Setting up and maintaining a vulnerability management programme
- Implementing effective guidelines on access control
- Regular monitoring and testing of the IT infrastructure
- Developing and enforcing an information security policy
PCI DSS is comprised of twelve security requirements. Organisations are classified as PCI compliant if they comply with the following standards:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel and acceptance partners
Every acceptance partner who accepts credit card payments must comply with the credit card organisations' security requirements (PCI DSS) and validate compliance. Businesses have to validate compliance regardless of their size or the number of credit card transactions conducted per year.
Businesses that do not comply with PCI DSS can be fined by the credit card organisations through their acquirer. Furthermore, non-compliant businesses are liable for damages if their customers' credit card data is stolen from or compromised in their company.
The binding IT security requirements of PCI DSS were introduced to curb payment card fraud. There are several advantages to rigorous security measures when processing payment card data:
- Improved data security and customer protection
- Increased customer confidence, which can help raise the amount of credit card transfers and overall turnover
- Improved protection against financial damages and indemnity payments
- Protection of your company's image
- Evaluation of security level of systems that store, process and/or transmit cardholder data
- Minimising and avoiding data helps reduce company risks
- Network segmentation reduces costs of maintaining PCI compliance
Acceptance partners who can validate their PCI DSS compliance obtain a compliance certificate. Those acceptance partners have successfully proven that they are familiar and compliant with the credit card organisations' security requirements for handling credit card data. They have thereby acquired the status PCI DSS "compliant" and are protected under the so-called "Safe-Harbour Rule". In case of data theft or compromise, such a business can be partially or fully released of any fines by card associations or acquirer after a forensic investigation has been conducted.
Your business offers credit card payments and thus has to prove compliance with PCI DSS. For this reason, your acquirer has contacted you to ask for proof of compliance.
PCI DSS compliance has to be validated at least once a year. Since validation of PCI DSS compliance involves documenting the current state of credit card processing in your business, you are required to update your compliance validation every time a change occurs to the technology or the ways in which you accept and process card payments, regardless of when you last validated PCI DSS compliance. You are required to maintain compliance with PCI DSS at any time.
I outsourced processing of credit card transactions to a third-party service provider. Why do I still have to validate PCI DSS compliance?
Even if you have outsourced storing, processing and transmission of cardholder data to a third party service provider, you have to validate PCI DSS compliance in order to document that your service provider is PCI compliant, and that you regularly verify your service provider's PCI status. Your acquirer generally requires you to provide a PCI DSS self assessment in which you document the ways in which you process credit card payments and validate compliance with the card associations' security requirements.
The credit card organisation MasterCard and Visa have released a list of all PCI DSS compliant service providers online:
You can also directly contact your service provider to request proof of compliance.
Any business that offers credit card payments is required to comply with PCI DSS and validate compliance. If you have outsourced credit card processing to a PCI DSS compliant service provider and do not store, process or transmit credit card data on your own IT systems, you are eligible for a simplified validation process.
Why do I have to address credit card payments through a different acquirer in my PCI DSS compliance validation?
You validate secure handling of cardholder data for your business, regardless of who your acquirer is. Accordingly, the compliance certificate serves as a universal proof of your business's secure handling of cardholder data.
Please review your login data:
- Have you entered the same email address you provided as your user name?
- Have you taken into account that the password is case sensitive?
- Did you accidentally include a blank space?
If you have verified that you are using the correct login data and still cannot log in, please click on "Request new password".
Have you already registered on the complete PCI DSS portal? If you have, the initial login data we sent you is no longer valid. Please use the email address you provided as your user name (at which you receive the reminder emails) and the personal password you created. If you have not yet used the initial data but cannot log in, please contact the PCI Competence Center.
Please request a new password via the complete PCI DSS portal. Click on "Request new password" and enter the email address you have already provided as your user name. We will send you an email with your new password.
You can provide one specific contact person responsible for PCI during your registration on the platform. Should you require to specify a different contact or multiple contacts later on, please contact the PCI Competence Center.
Payment processing software is a computer program that runs on your own IT systems and processes your customers' card payments and payment card data. It must not be confused with a payment page, which is a payment module of your payment service provider (PSP), into which the customers enter their credit card data in order to make a payment. In this case, the credit card data is not stored, processed or transmitted via your own IT systems.
Third-party service providers are, for example, application service providers (payment gateways), web hosting service providers, (service providers that offer server space, network connectivity and internet connectivity and maintenance), as well as payment service providers.
Your acquirer, the card complete Service Bank AG, is your partner for accepting and processing payment cards as part of an acceptance contract.
Point of sale is a payment system in which the customers makes a card payment at the acceptance partner's premises. Proof of the customers' identity is provided by their signature or PIN. The point of sale can be a stand-alone terminal that is connected to a payment service provider via telephone line, or it can be a payment system that is connected to a register and/or the internet.
I do not know the exact number of my business's annual credit card transactions. What am I supposed to answer?
Card complete Service Bank AG stores transaction numbers for your business on the portal. Please contact the card complete Service Bank AG Acceptance Partner Service if you have any questions regarding these numbers.
SAQ (Self-Assessment Questionnaire)
Please specify the location(s) for each branch of your business that requires you to validate PCI DSS compliance.
Our SAQ selection assistant helps you determine the SAQ applicable to you by asking you specific questions about the ways in which you accept and process card payments in your business.
By completing a Self-Assessment Questionnaire (SAQ), you can verify and validate your compliance with PCI DSS.
The questions of SAQ A do not apply to me, since I have outsourced all processing of payment card data. What am I supposed to answer?
You can answer questions that are not applicable to your business with "N/A" (not applicable). Please comment with a short explanation as to why the question is not applicable to your business. The focus of SAQ A lies on the PCI compliance of your payment service provider (PSP) which you are required to check regularly. You verify doing so by completing an SAQ.
I selected SAQ A / The SAQ selection assistant determined SAQ A for me. Why can I not access the SAQ questions?
Since selection of SAQ A always implies that a service provider is used to store, process or transmit cardholder data, please check if the question "Do you use service providers to store, process or transmit cardholder data?" in your master data ("administration", "edit merchant data") has been answered with a yes.
N/A stands for "not applicable" and can be used to answer questions of the SAQ that do not apply to your business. If you select N/A as an answer, you will be asked to provide an explanation as to why the question is not applicable to your business.
If you are unable to satisfy technological specifications of a requirement but sufficiently remediate the resulting risk in another way, please select "compensating control" as your answer. In this case, you will be asked to provide more detailed information on the compensating security measures after completion of the SAQ.
Simplified Self Assessment for Hotels
- The hotel offers only card present transactions (the cardholder is present during the payment process).
- The hotel has a merchant level of 4, i.e. a maximum of one million Visa card present transactions and NO long distance transactions (e-commerce and/or MOTO - mail order/telephone order transactions) are carried out per year.
If your hotel meets those criteria, you should automatically be offered the Simplified Self Assessment for Hotels.
If your hotel is eligible for the Simplified Self Assessment, you will be asked to confirm three statements regarding your handling of payment card data:
- No sensitive cardholder data – neither track data or chip data, nor CVV/CVV2 or PIN – is electronically stored.
- No no-show transactions are processed (if the booked accommodation is cancelled or fails to be claimed). Should no-show transactions be processed, they are processed exclusively in accordance with the Visa Core Rules and Visa Product and Service Rules
- Electronic access to payment card data (for example, through booking portals or hotel management software) is not possible. Should electronic access be possible, all vendor-specific default passwords of systems belonging to the cardholder data environment (especially hotel management software) are replaced with secure custom passwords.
Furthermore, you will be required to specify all third party service providers who store, process, and/or transmit cardholder data on your behalf, such as booking portals, acquirers, payment terminal providers, payment service providers, etc.
If your customers' payment card data is stored, transmitted or processed via your own IT systems, and your IT systems or connected systems are accessible from the public internet, you are required to have an Approved Scanning Vendor (ASV) perform vulnerability scans on your systems every 90 days in order to test for security vulnerabilities.
I have completed SAQ C or D with the status PCI compliant, yet it still says on the complete PCI DSS portal that I have not obtained the status PCI compliant. What else do I have to do?
Selection of SAQ C or D implies that your customers' payment card data is stored, processed or transmitted via your own IT systems, which might require you to have vulnerability scans performed in order to be PCI compliant. Our PCI Competence Center is happy to help you clarify whether or not this is the case.
I have had vulnerability scans performed by an ASV (Approved Scanning Vendor). Why do I keep being notified that I have not yet obtained the status PCI compliant?
When your ASV informs you that a vulnerability scan has validated your PCI compliance, this information has not yet been added to your data set on the complete PCI DSS portal. If you did not have the vulnerability scan performed by usd AG, the cooperation partner of card complete Service Bank AG, you will have to manually upload and save the vulnerability scan report to the complete PCI DSS portal. Please log in to the complete PCI DSS portal and upload the Executive Summary Report, comprised of the "Attestation of Scan Compliance" and the "Executive Summary", under the section "Your Scans".
If you have completed either Self-Assessment Questionnaire A, B or C-VT and obtained the status PCI compliant, you are welcome to implement a compliance seal into your online shop. The seal is provided to you free of charge by usd AG, the cooperation partner of card complete Service Bank AG. Please use the link under the section "PCI DSS vulnerability scans" of the complete PCI DSS portal to register with usd AG. Should you have any questions, please contact the PCI Competence Center at +43 1 711 11-405 (e-mail email@example.com)