How to get CMMC certification?

How to write an SAQ?

A Self-Assessment Questionnaire (SAQ) is a self-validation tool for merchants handling payment cards as part of Payment Card Industry Data Security Standard (PCI DSS) compliance.

Practical steps to write an SAQ include:

  1. Selecting the appropriate SAQ, based on how you (the merchant) accept payment cards:
    1. Type A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    2. Type A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    3. Type B: Merchants using only:
      1. Imprint machines with no electronic cardholder data storage; and/or
      2. Standalone, dial-out terminals with no electronic cardholder data storage.
    4. Type B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
    5. Type C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
    6. Type C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
    7. Type D (Merchant): All merchants not included in descriptions for the above types.
    8. Type D (Service Provider): All service providers defined by a payment card brand as eligible to complete a SAQ.
  2. Signing the Attestation of Compliance confirming that controls are in place and tested.
  3. If gaps exist, using a Report on Compliance (ROC) or SAQ-D with a Plan of Action (POA&M).

!