Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Qualys Supports New Self Assessment Questionnaire for PCI Compliance

QualysGuard PCI Compliance Solution Provides Full Support for All Types of New Self-Assessment Questionnaire (SAQ) Version 1.1 for Both Merchants and Service Providers

Redwood City CA - April 1, 2008 - Qualys, Inc. today announced an upgrade to its QualysGuard® PCI on demand compliance solution with the new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) in February 2008. The QualysGuard PCI implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.

The SAQ is a validation tool used primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands—Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International — to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.

“Issuing the latest self assessment questionnaire is another step the PCI Security Standards Council is taking to ensure that all merchants and service providers have options in determining their compliance strategy,” said Bob Russo, general manager, PCI Security Standards Council. “Having multiple SAQs available will streamline the process and make it easier for stakeholders to determine their compliance gaps and take action to ensure full compliance with the Standard.”

The SAQ, version 1.1 is now available at and consists of four unique forms to meet various business scenarios. Each merchant completing the SAQ version 1.1 selects the questionnaire that best represents their environment, based on the descriptions below:

SAQ Validation Type Description SAQ Number of Questions
1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A 11
2 Imprint-only or stand-alone terminal merchants with no electronic cardholder data storage. B 21
3 Merchants with POS systems connected to the Internet, no electronic cardholder data storage. C 38
4 All other merchants (not included in Types 1-3 above) and all service providers defined by a payment brand as eligible to complete an SAQ. D 226

QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implantation or SAQ 1.1 are available at: within the PCI Questionnaires chapter.

In this upgrade, QualysGuard PCI now supports both the previous SAQ version 1.0, as well as the four forms of the new SAQ version 1.1, allowing merchants to choose which version they wish to complete. According to the PCI SSC, after April 30, 2008, the older SAQ version 1.0 will no longer be accepted for compliance validation. From that date forward, all merchants will be required to use the new SAQ version 1.1.

About QualysGuard PCI

QualysGuard PCI Compliance solution has become a de facto standard for merchants looking to comply with PCI. It is currently in use at organizations such as The Humane Society, Tribune Company, Steak n Shake restaurants, Houghton Mifflin Company and Palm, Inc. More than 50 percent of all PCI DSS ASVs and Qualified SecurityAssessors (QSAs) utilize QualysGuard to deliver PCI-related services totheir clients, bringing the total number of partners that have adoptedQualys’ platform to 250.

About Qualys

Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions. Qualys is the only security company that delivers these solutions through a single Software-as-a-Service platform. QualysGuard® allows organizations to strengthen the security of their networks and conduct automated security audits to ensure compliance with policies and regulations. As a scalable and open platform, QualysGuard enables partners to broaden their managed security offerings and expand their consulting services. Qualys’ on demand solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate view of their security and compliance posture. QualysGuard is the most widely deployed security on demand solution in the world, performing over 150 million IP audits per year. For more information, please visit

Media Contact:
Tami Casey