Navigating the SAQ Process: A Step-by-Step Guide for Hoteliers

Given the vast amount of cardholder data processed daily, the hospitality industry faces unique challenges in navigating the PCI DSS framework. Among these, the completion of the Self-Assessment Questionnaire (SAQ) stands out as one of the most demanding tasks.

In this week’s feature of the VENZA Echo, we’ll guide hoteliers through the SAQ process. From identifying the appropriate SAQ type for your property to conducting a thorough review of your existing security measures, this step-by-step guide is designed to help hospitality teams navigate this essential component of PCI DSS compliance.

Step 1: Determine SAQ Type

The first step in the SAQ process is to determine the correct assessment to use.

All hotel properties must annually complete one of nine available SAQs. The SAQ must be completed individually for each property—not collectively at the level of a property management company or ownership group. The appropriate SAQ type is determined by how a location processes, transmits, and stores cardholder data.

The most common SAQ types for hoteliers are:

SAQ P2PE:
*Payment transactions are processed by a PCI-validated point-to-point encryption (P2PE) hardware/terminals.
*Card data is not stored electronically.

SAQ C:
*Payment transactions are processed by internet-based applications/systems.
*Card data is not stored electronically.

SAQ D:
*Payment transactions are not processed via an internet-based application or P2PE solution.
*Card data may be stored electronically.

All SAQ forms can be downloaded from the PCI Security Standards online document library.

Step 2: Security Review

Once the SAQ type is determined, the formal review of security procedures and processes begins. This involves a detailed comparison of existing security controls against the standards outlined in the designated SAQ.

During this review, all aspects of current data security measures should be examined, including encryption methods, access controls, and network security protocols. If any deficiencies or areas needing improvement are identified, they must be documented, as this will serve as a foundation for developing an action plan to remediate the gaps.

For hoteliers with larger portfolios containing varying brands and sizes of properties, this portion of the SAQ can be challenging. VENZA assists our clients by simplifying the SAQ into separate Information Technology & General Manager Questionnaires, which are then sent to the respective contacts for those locations.

Step 3: Implement Changes

The next step is an alignment with PCI DSS security standards and creating an action plan to address gaps identified in the previous step.

This could entail:

Updating Software: Ensuring that all systems and applications handling cardholder data are up to date with the latest security patches and updates.

Performing Vulnerability Scans: Depending on the SAQ type, a property may need to perform an annual penetration test or quarterly vulnerability scans. These scans are critical for identifying exploitable vulnerabilities and must be performed by a PCI-approved vendor, such as those VENZA partners with.

Implementing Staff Training: Launching a fully comprehensive information security training program to ensure employees are educated on data protection best practices.

Security Policy Renewals: Updating the existing security procedures and policies framework to align with the best practices within PCI DSS.

Step 4: Complete SAQ

Now it’s finally time to complete the SAQ.

This entails honestly answering the yes or no questions on the assessment and providing any required supplementary documentation.

Depending on the SAQ type, there may be a range of supporting evidence required, such as credit card reader inventories, visitor access logs, and service provider agreements. Supplying this information demonstrates the hotel has implemented the necessary security controls to protect cardholder data.

If the property has not employed a Qualified Security Assessor (QSA), it will need a robust level of involvement from organisational IT and security professionals to ensure all levels of the assessment are properly prepared.

Step 5: AoC & Submission

Once the SAQ has been finalized, the PCI Attestation of Compliance (AoC) may be prepared.

The AoC is an attestation that a business has upheld the security best practices outlined in PCI DSS. To simplify, the information provided by the hotel in the SAQ demonstrates the formal AoC, which may only be completed by a QSA or the businesses’ merchant.

Once completed, the SAQ and AOC may be submitted to the acquiring bank or payment card brand as required.


***


The SAQ is an essential component of maintaining PCI DSS compliance and safeguarding guest data. For hoteliers, the process can be challenging, but fortunately, VENZA can help.

Through the Everest™ program, VENZA’s Security Team expertly guides hoteliers of all sizes through the SAQ completion process and every aspect of PCI DSS compliance. In partnership with VENZA, your company can tackle regulatory compliance in as little as one month.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.