What is PCI DSS SAQ?

PCI For NonprofitsThis post is the first in a series about the most important topic to any nonprofit organization: credit card security, and protecting your donors’ sensitive personal information. These posts expand upon topics from the “PCI Compliance: Safeguarding Your Donors’ Private Information” guide in the Greater Giving Fundraising Excellence Series. Each new post deep-dives into an area of PCI compliance and self-evaluation, to prevent fraud and malicious invasions. View all released series articles—PCI Compliance

Before I dive into PCI DSS and security compliance, I want to start by saying that ensuring PCI compliance is one of the most important things your nonprofit can do. Charitable giving starts and ends with one word: trust. And a major component of that trust? Ensuring the safety and security of donors’ information. Donors are the lifeblood of any nonprofit, and if that trust is violated, it could harm your reputation for a long time to come—and by extension, affect your income flow.

But please don’t let that worry you, because that’s why I’m here: to tell you that you’re not alone in ensuring data security! We created this eBook  precisely to address the very serious issue of protecting personal information. We’ll help you learn all about PCI compliance, and provide some simple, step-by-step tools for enacting policies that will ensure your donors’ continuing trust in your nonprofit’s operations.

What is PCI DSS SAQ?

This is a big question! And it’ll require us to break it all down a bit first.

PCI: Payment Card Industry. Payment cards are essentially credit cards—cards people use to pay for things.

DSS: Data Security Standards. These are some guidelines that an alliance of credit card companies have put together, based on extensive research about how best to keep data secure, to protect your donors’ PII. (There’s another term for you! PII stands for Personally Identifiable Information, which could be their address, credit card number, any information related to them or their payment account.)

So PCI DSS is essentially a set of standards to help you keep your donors’ personal information, and credit card information, safe from fraud or malicious individuals. They are intended to start your organization thinking seriously about security—because security is a serious thing when your donors’ trust and confidence is on the line.

So, what’s the SAQ part?

In the world of credit card security, your organization—and only your organization—is responsible for your data security. It’s completely up to you to learn what the requirements are for PCI compliance, adjust your operational procedures and equipment to meet them.

Luckily, the PCI Security Standards Council has provided you with a handy self-assessment tool that you can use whenever you’re ready to check your procedures and validate your PCI compliance—called the Self-Assessment Questionnaire (SAQ). It’s free to download and use, and allows you to complete the assessment on your timeline, at your leisure. You can stop and save it at any time, and come back when you’re ready to continue.

Your first step? Get compliant.

Before you can use the SAQ, you’ll need to familiarize yourself with the 12 requirements to achieve PCI Compliance. Download our “PCI Compliance: Safeguarding Your Donors’ Private Information” e-book/white paper for a list of the 12 requirements and more information on how to update your processes to meet them.

Remember that the twelve requirements are simply a starting point for getting you to think about data security—there’s always more you can do to protect donors’ critical information.

Next, self-assess.

Visit the PCI Security Standards Council’s SAQ website for instructions on completing the SAQ and downloading it for yourself. If you’re not sure which of the questionnaires applies to your organization, contact your acquiring bank for more information.

The best part about the SAQ? After you’ve gone through the steps required to get PCI compliant, the process of completing the SAQ will illuminate to you any holes that might remain or were missed the first time around.

Once you’ve completed the SAQ, you’ll also need an Attestation of Compliance (AOC), which is a declaration that your nonprofit has completed the SAQ and contains the results of the self-assessment. Both of these will need to be completed quarterly to ensure your continuing data security—and earn the badge of trust that comes with PCI compliance.


Once you’ve successfully completed the PCI DSS SAQ, you’ve joined a small percentage of merchants in being fully PCI compliant. Research has found that 99% of PCI compliant merchants experience significant improvement in their data security; and getting compliant is the best bet for keeping your donors’ PII safe—as well as ensuring their trust for a long time to come.

Share your thoughts