If you use tools like Helcim.js or our full card number API – meeting your PCI security requirements involves manually submitting a Self-Assessment Questionnaire, or SAQ for short. Don't worry, this doesn't have to be complicated.
In this article, we'll walk you through exactly what you need to do: from finding the right official SAQ form for your situation (it's usually a type called SAQ A-EP or SAQ D), to filling it out properly, and then sending it back to us through your Helcim account.
Many Helcim merchants can use our built-in online questionnaire to do their PCI compliance. If this 'manual process' doesn't sound like what you're expecting or needing, you might want to check out our guide for the standard online process here: Completing your PCI questionnaire. |
In this article
Why is my PCI compliance process manual?
It's helpful to understand why your process is different. Helcim's automated questionnaire is designed for many common payment setups, but SAQ A-EP and SAQ D cover more complex environments where you, the merchant, have specific responsibilities that need direct attestation outside of our automated tool.
SAQ A-EP typically applies to e-commerce merchants where:
Your website doesn't directly receive or store full cardholder data, but it is involved in redirecting customers to a PCI DSS validated third-party payment processor (like Helcim for the actual payment processing).
Your website itself can impact the security of the payment transaction (e.g. if compromised, it could alter the redirection). This is often the case for integrations like Helcim.js used with platforms such as WooCommerce.
SAQ D typically applies if your business:
Electronically stores cardholder data.
Or, if you do not meet the criteria for any other SAQ type. For instance, Helcim merchants who use our full card number API where card data might pass through your systems.
Key takeaway: If Helcim is guiding you towards a manual submission, it's because your specific setup aligns with these SAQ types. |
Step 1: Getting your official SAQ from the PCI Security Standards Council
For a manual submission, you need the official, up-to-date questionnaire.
Go to the official PCI Security Standards Council (PCI SSC) website. Their website is: www.pcisecuritystandards.org.
Find "Search the Document Library" and search for "SAQ"
Download the latest version of the SAQ that applies to you (either SAQ A-EP or SAQ D). Make sure it's the full document, which includes instructions and the Attestation of Compliance (AoC).
Step 2: Completing your SAQ A-EP or SAQ D
This is your detailed self-assessment.
Carefully read all instructions provided within the SAQ document.
Answer every question thoroughly and accurately based on your specific business environment and security practices.
Depending on your SAQ type, you may be required to undergo external vulnerability scans by an Approved Scanning Vendor (ASV). Your SAQ will specify if this is needed. Ensure these are completed and you have the results from the ASV. |
Complete and sign the Attestation of Compliance (AoC) section within the SAQ document. This is your formal declaration of compliance.
Step 3: Submitting your completed documents to Helcim
Once your SAQ and any other required documents (like ASV scan reports) are complete, you'll submit them through your Helcim account. As mentioned, the Helcim system will guide you to the manual upload option because it has identified your account as requiring SAQ A-EP or D.
Log in to your Helcim account.
Navigate to All Tools, then select My Business.
In the menu on the left, click on Security and Compliance.
Click on the PCI compliance tile.
Upload files: Select the PDF of your fully completed SAQ (which must include your signed Attestation of Compliance).
If ASV scans were required, you'll likely need to upload those reports as well.
Compliance Type: From the drop-down menu, select the correct SAQ type you completed (e.g. "SAQ A-EP" or "SAQ D"). Refer to the SAQ Types Overview section below if you need a quick reminder.
Business name / name / title: Ensure these fields are correctly populated, as they were from your account details.
Check the box to acknowledge that you’ve read the PCI DSS.
Click Submit Compliance.
SAQ Types Overview (for reference during submission)
This table provides a quick overview to help you confirm you're selecting the correct "Compliance Type" during your manual upload and for general understanding. Always refer to the PCI SSC for official definitions.
SAQ Type | Brief Description / Common Use Case | Helcim Product Examples | Supported by Helcim's automated questionnaire? |
A | Card-not-present (e-commerce/mail/phone order). All cardholder data functions are fully outsourced. | Online Checkout, Hosted Payment Pages, Payment Links | Yes |
A-EP | E-commerce only. Website involved in transaction flow, but payments are outsourced to validated third parties. | Helcim.js (e.g. with WooCommerce) | No |
C | Payment application systems connected to the internet, no electronic cardholder data storage. | Helcim POS App (with the Helcim Smart Terminal or Helcim Card Reader) | Yes |
C-VT | Virtual payment terminal on a computer, no electronic cardholder data storage. | Virtual Terminal | Yes |
D | Merchants who do not meet criteria for other SAQ types (e.g. electronic storage of cardholder data) OR all Service Providers. | Legacy Full Card Number API integrations | No |
Next steps
After your manual submission, Helcim will review the provided documents. You can monitor your compliance status on the Security and Compliance page.
Once processed, your submitted documents and compliance status will be accessible via the Compliance History tab on the Security and Compliance page. Check out our article on accessing your PCI compliance report for more details on accessing history.
Remember, PCI compliance for SAQ A-EP and D is also an annual requirement. You will need to repeat this manual process each year.
For a complete overview of PCI compliance with Helcim, you can always revisit our main directory: Understanding PCI compliance.
FAQs
Why can't I just use Helcim's online questionnaire for my SAQ A-EP or SAQ D?
SAQ A-EP and SAQ D cover environments where you have more direct control and responsibility over parts of the payment process or data handling that Helcim's automated tool cannot directly assess (like your website's configuration for A-EP, or if you store data for SAQ D). These require your direct attestation.
Where is the official SAQ A-EP or SAQ D form? I can't find it in my Helcim account.
The official SAQ forms are provided and maintained by the PCI Security Standards Council. You can download them directly from their website: www.pcisecuritystandards.org.
This SAQ is very complex. Can Helcim help me fill it out?
While our support team can guide you on how to submit the completed documents to Helcim, we cannot advise on how to answer the specific questions in your SAQ A-EP or SAQ D, as it's a self-assessment of your unique environment.
For complex situations, the PCI SSC website offers extensive guidance, or you might consider consulting with a Qualified Security Assessor (QSA).
What other documents might I need to submit besides the SAQ PDF?
This depends on the requirements of your specific SAQ. For example, SAQ A-EP and certain instances of SAQ D often require regular external vulnerability scans by an Approved Scanning Vendor (ASV). If so, you would typically need to submit the ASV scan attestation or report along with your SAQ. The instructions within your SAQ document will detail any additional documentation required.
How will I know that Helcim has received and accepted my manually submitted documents?
After you submit your documents through the Helcim portal, you can check your compliance status on the Security and Compliance page. It should update once your submission has been processed.
You can also view your submission details and uploaded documents in the Compliance History tab on that same page.