10 Tips for Hosting Successful SAQ Workshops with Your Merchants

Article PCI DSS
Workshop

 
PCI DSS version 4.0 is officially here, and all merchants completing Self-Assessment Questionnaires (SAQs) after March 31, 2024, will be completing the new, revised v4.0 SAQs. To help merchants successfully and accurately complete their questionnaires, we recommend planning SAQ Workshops to kick off this annual process.

Below are our top 10 tips for hosting a successful workshop:

  1. Outline Your Compliance Calendar

    Structuring your annual PCI compliance calendar can be helpful to ensure your merchants have adequate time to complete the SAQs prior to your overall attestation date. Working backward from the attestation date, you will want to plan accordingly for tasks like merchant surveys, PCI training, collection of the necessary documentation, merchant SAQs, etc., and allow adequate time for each area.

    We encourage having merchants complete training prior to the SAQ cycle each year so they understand the importance of PCI and their individual responsibilities for compliance.

  2. Conduct an Assessment or Merchant Surveys

    Having a clear understanding of how each merchant accepts payment cards is important so you can assign the correct SAQ type to each merchant area. Meet with merchants to walk through their payment processes or send out a merchant survey requesting details around how merchants are accepting payments. This will help ensure SAQ assignments are accurate and eliminate any unnecessary confusion.

    Using a compliance portal that allows you to directly assign SAQ types to your merchants is highly beneficial. If each merchant has an understanding of their payment flows before the SAQ workshop, they will also be able to explain their involvement and determine which requirements apply to their specific environments.

  3. Include Your Dedicated Qualified Security Assessor.

    As a certified QSA, these team members are qualified to answer any specific questions around scoping, applicability of SAQ requirements, etc., and can also help reinforce the importance of PCI across your merchant environments.

    Including your QSA as an expert resource will provide your organization and merchants with confidence that you are accurately completing your required SAQs. Allow time at the end of the workshop for questions so merchants can engage with your QSA as needed.

  4. Host Workshops by SAQ Type

    Splitting up merchants by SAQ type (i.e., SAQ A for e-commerce, SAQ P2PE for those with validated P2PE card terminals, etc.) allows the QSA to focus on each type of merchant and ensures the workshop is relevant to those attending. Merchants will be able to hear the questions from others and directly apply those answers to their SAQs as well.

  5. Test Access to the Compliance Portal

    Whether you are utilizing the CampusGuard Central portal or your bank’s compliance portal, verify all users can log in and access their SAQs prior to the workshop so you aren’t wasting valuable time helping users sign in, recover login information, etc.

  6. Promote the Workshop as a Working Session

    Users should be logged in during the workshop and following along, completing their assigned SAQs. This will ensure users are engaged and less likely to be multitasking.  Having an interactive session will also allow users to get a jumpstart on their SAQs and increase their completion rate in those first few weeks of the compliance cycle.

  7. Enforce Due Dates and Expectations

    Provide merchant users with clear due dates and timelines for completion, and outline any penalties for non-compliance (i.e., inactivating/suspending MIDs, etc.). You can even offer a prize to help motivate completion, such as a gift card awarded to the first two merchant areas to complete their SAQs.

    Depending on the size of your organization, you may have all merchants complete their SAQs at the same time each year, or you may stagger compliance windows, so merchants have individual due dates each year.

  8. Obtain Leadership Support

    Including representation from your leadership or PCI team in the workshop can help reinforce the importance of compliance across the organization. The PCI team can also help merchants address questions about any organization-specific procedures or processes or some of the more technical requirements that may be addressed by the central IT team vs. the individual merchant areas.

  9. Supply Guidance Documentation

    Following the SAQ workshop, provide cheat sheets to users by SAQ Type to help outline how the SAQs should be answered, address frequently asked questions, etc. You can also record the workshop and allow merchants to access the recording on-demand as they or others complete their requirements.

  10. Collect Supporting Documentation

    The CampusGuard Central compliance portal is a great tool for completing and monitoring SAQs, but can also be a good place for merchants to upload any supporting compliance documentation (i.e., device inspection logs, departmental procedures, third-party documentation, etc.).  This way all information is stored in one secure, central location, and the PCI team will have the necessary oversight to track and monitor ongoing compliance.

To coordinate or schedule an SAQ workshop for your merchants this year, reach out to your dedicated CRM team. Contact us if you have any questions or need assistance.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.