The formal process of achieving PCI compliance for most businesses will include submitting an annual PCI self-assessment questionnaire (SAQ) and possibly a quarterly network scan report by an Approved Scanning Vendor (ASV).

SAQs are designed to help you report the results of your PCI DSS self-assessment. It is important that you meet all of the standards for a specific SAQ before using it to ensure that you get the correct feedback. It is also important, if you are a merchant, to get help from your payment processing provider to look at your eligibility to find the best SAQ for you.

Fortunately and unfortunately, there are 8 different types of PCI self-assessment questionnaires. The good thing about having 8 options is that the SAQs should be more accurate for each merchant. The bad thing about having 8 options is that there are 8 options!

Because it is important to know which one is right to use for your company, we explain each in detail below. When in doubt though, ask your payment processor which SAQ is best for you.

SAQ A

APPLICABLE FOR: Card-not-present merchants (e-commerce or mail/telephone order)

NOT APPLICABLE FOR: Face-to-face channels

This is for card-not-present merchants that have completely outsourced all cardholder data functions to PCI DSS validated third-party service providers. Examples of merchants who would use SAQ A are those using Hosted Payment Forms and hosted shopping carts where the whole checkout process and gateway are managed by third parties. To qualify for this SAQ, you must not have electronic storage, processing or transmission of any cardholder data in your systems or premises.

SAQ A-EP

APPLICABLE FOR: e-Commerce merchants

NOT APPLICABLE FOR: Anything other than e-commerce channels

This is for e-commerce merchants that outsource all payment processing to PCI DSS validated third-party service providers with the exception of the payment page. Examples of merchants who could use SAQ A-EP include certain hosted payment forms and e-commerce websites where the payment page is on the merchant’s site. To qualify for this SAQ, you must have a website(s) that doesn’t directly receive cardholder data but can impact the security of the payment transaction. Furthermore, you must have no electronic storage, processing or transmission of any cardholder data in your systems or premises.

SAQ B

APPLICABLE FOR: Brick and mortar or mail/telephone order merchants

NOT APPLICABLE FOR: e-Commerce channels

Merchants that qualify for this SAQ use regular terminals that connect only via dial-up phone lines. This also applies to any merchants still using imprint machines (a.k.a. knuckle busters) that slide over a card to imprint carbon copies of the card onto slips.

SAQ B-IP

APPLICABLE FOR: Brick and mortar or mail/telephone order merchants

NOT APPLICABLE FOR: e-Commerce channels or merchants using the Secure Card Reader (SCR)

This SAQ is for merchants who use regular terminals that connect via IP (not dial-up phone line). This means that they have Ethernet cables that connect to a router or modem, which in turn connects to an internal network or internet service provider.

SAQ C-VT

APPLICABLE FOR: Brick and mortar or mail/telephone order merchants

NOT APPLICABLE FOR: e-Commerce channels

To qualify for this SAQ means that you manually enter each single transaction by keyboard into an internet-based virtual terminal solution that is provided/hosted by a PCI DSS validated third-party service provider. Furthermore, this would mean that you have no electronic cardholder data storage.

SAQ C

APPLICABLE FOR: Brick and mortar or mail/telephone order merchants

NOT APPLICABLE FOR: e-Commerce channels

This is for merchants that have payment application systems such as point-of-sale systems that are connected to the internet and have no electronic cardholder data storage.

SAQ P2PE-HW

APPLICABLE FOR: Brick and mortar or mail/telephone order merchants

NOT APPLICABLE FOR: e-Commerce channels

To qualify for this SAQ would mean that you use only hardware payment terminals that are included in and managed through a validated, PCI SSC-listed P2PE solution. Furthermore, you must have no electronic cardholder data storage.

SAQ D

APPLICABLE FOR: Merchants and service providers

MERCHANTS: This is for merchants that do not fit into any of the descriptions above.

SERVICE PROVIDERS: This is for service providers that were defined by a payment brand to be eligible to complete a SAQ.

Article by Clearent by Xplor

First published: August 14 2023

Last updated: June 19 2024