EPISODE · Jun 23, 2026 · 34 MIN
Which PCI SAQ Do You Actually Need? (ep. 10)
from Practical Cybersecurity with Jen Stone · host SecurityMetrics
First time filling out a PCI SAQ? In this episode, two QSAs who've scoped hundreds of payment environments walk you through how to pick the right one—so you don't end up with the wrong form, the wrong security controls, and the wrong amount of risk.Choosing the right PCI DSS Self-Assessment Questionnaire (SAQ) isn't just a paperwork decision. Pick the wrong form and you can leave blind spots in your network security or lock yourself into compliance requirements you never needed.In this episode of the Practical Cybersecurity Podcast, SecurityMetrics experts Jen Stone (QSA) and Michael Simpson break down the complex, often misunderstood rules of PCI scoping. They translate confusing auditor-speak into a practical roadmap so you can identify your payment channels, reduce your data footprint, and satisfy your acquiring bank.In this episode:The e-commerce breakdown: the technical triggers that separate SAQ A, SAQ A-EP, and SAQ D—and the "iframe vs. direct post" buzzwords that decide which one is yoursHow to spot bad PCI advice, including the common Toast POS / SAQ A myth that sends merchants to the wrong formWhy validated Point-to-Point Encryption (P2PE) is the gold standard for in-person payments and how it eliminates local network scopeE2EE vs. P2PE: the critical difference between proprietary end-to-end encryption and a formally validated solution—and why you can't use the P2PE form for E2EEThe cellular terminal question: how to document network-connected mobile payment devicesVirtual terminals (SAQ C-VT): how to stress-test your network segmentation so a call center actually qualifiesThe SAQ roll-up: how to combine multiple payment environments into one master document without losing your mindService providers: the one unyielding rule for B2B vendors who handle downstream cardholder dataResources:Official PCI SSC PTS device search: https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=trueTalk to a SecurityMetrics QSA about scoping: https://www.securitymetrics.com/security-consultingA note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/
What this episode covers
First time filling out a PCI SAQ? In this episode, two QSAs who've scoped hundreds of payment environments walk you through how to pick the right one—so you don't end up with the wrong form, the wrong security controls, and the wrong amount of risk. Choosing the right PCI DSS Self-Assessment Questionnaire (SAQ) isn't just a paperwork decision. Pick the wrong form and you can leave blind spots in your network security or lock yourself into compliance requirements you never needed. In this epis...
NOW PLAYING
Which PCI SAQ Do You Actually Need? (ep. 10)
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Jan 2, 2026 ·47m
Dec 21, 2025 ·46m