How you process credit cards and handle cardholder data determines which of the 10 Self-Assessment Questionnaire (SAQ) types your business needs to fill out. To learn more about the different SAQ types in-depth, read this blog.
Here are the different PCI SAQ type requirements:
SAQ A
Your company only accepts card-not-present (e-commerce or mail/telephone-order) transactions.
All processing of cardholder data is entirely outsourced to a PCI DSS validated third-party service providers.
Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions.
Your company has confirmed that all third party(s) handling storage, processing, and transmission of cardholder data are PCI DSS compliant.
Any cardholder data your company retains is on paper (such as, printed reports or receipts), and these documents are not received electronically.
SAQ A-EP
Your company only accepts e-commerce transactions.
All processing of cardholder data – with the exception of the payment page – is entirely outsourced to a PCI DSS validated third-party payment processor.
Your e-commerce website does not receive cardholder data but controls how consumers – or their cardholder data – are redirected to a PCI DSS validated third-party payment processor.
If the merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including PCI DSS Appendix A if the provider is a shared hosting provider).
Each element of the payment page(s) delivered to a consumer’s browser originates from your website or a PCI DSS compliant service provider(s).
Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on third parties to handle all of these functions.
Your company has confirmed that all third parties handling storage, processing, and transmission of cardholder data are PCI DSS compliant.
Any cardholder data your company retains is on paper (e.g., printed reports, receipts), and these documents are not received electronically.
SAQ B
Your company only uses an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information.
Standalone, dial-out terminals are not connected to any other systems within your environment.
Standalone, dial-out terminals are not connected to the Internet.
Your company does not transmit cardholder data over a network (either an internal network or the Internet).
Any cardholder data your company retains is on paper (e.g., printed reports, receipts), and these documents are not received electronically.
Your company does not store cardholder data in an electronic format.
SAQ B-IP
Your business only uses standalone, PTS-approved POI devices connected via IP to your payment processor to take your customers’ payment card data.
Standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs).
Standalone IP-connected POI devices are not connected to any other systems within your environment.
The only transmission of cardholder data is from PTS-approved POI devices to the payment processor.
The POI device doesn’t rely on any other device (e.g., computer, mobile phone, tablet) to connect to the payment processor.
The business has only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically.
Your company does not store cardholder data electronically.
SAQ C
Your business has a payment application system and an Internet connection on the same device and/or same local area network (LAN).
The payment application system isn’t connected to any other systems within your environment.
The POS environment isn’t connected to other locations, and any LAN is for a single location only.
Any cardholder data your business retains is on paper (e.g., printed reports, receipts), and these documents are not received electronically.
Your company does not store cardholder data in an electronic format.
SAQ C-VT
Your company only processes payments through a virtual payment terminal accessed by an Internet-connected web browser.
Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider.
Your company accesses the PCI DSS-compliant virtual payment terminal solution through a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.
Your company’s computer does not have software installed that causes cardholder data to be stored.
Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data.
Your company does not otherwise receive or transmit cardholder data electronically through any channels.
Any cardholder data your company retains is on paper and these documents are not received electronically.
Your company does not store cardholder data in an electronic format.
SAQ D for Merchants
SAQ D applies to merchants who don’t meet the criteria for any other SAQ type. This SAQ type handles merchants who store card information electronically and do not use a P2PE certified POS system. Here’s what qualifies you for SAQ D:
E-commerce merchants who accept cardholder data on their website.
Merchants with electronic storage of cardholder data.
Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type.
Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.
SAQ D for Service Providers
A service provider is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organization. Service providers can also provide services that control or could impact the security of cardholder data. Here’s what qualifies you for SAQ D:
A service provider handles card data on behalf of another business.
A service provider provides managed firewalls used in another entity’s cardholder data environment.
A service provider that hosts a business’s e-commerce environment/website.
SAQ P2PE
All payment processing is through a validated PCI P2PE solution approved and listed by the PCI SSC.
The only systems in the merchant environment that store, process, or transmit account data are the Point of Interaction (POI) devices, which are approved for use with the validated and PCI-listed P2PE solution.
You do not otherwise receive or transmit cardholder data electronically.
There’s no legacy storage of electronic cardholder data in the environment.
If your business stores cardholder data, this data is only in paper reports or copies of paper receipts and isn’t received electronically.
Your business has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
SAQ SPoC
All payment processing is only via a card-present payment channel.
All cardholder data entry is via a Secure Card Reader PIN (SCRP) that is part of a validated SPoC solution approved and listed by PCI SSC (Payment Card Industry Security Standards Council).
The only systems in the merchant’s SPoC environment that store, process, or transmit account data are those used as part of the validated SPoC solution approved and listed by PCI SSC.
The merchant does not otherwise receive, transmit, or store account data electronically.
This payment channel is not connected to any other systems/networks within the merchant environment.
Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
The merchant has implemented all controls in the SPoC user guide provided by the SPoC Solution Provider.
.svg)
