Choose the right SAQ to demonstrate PCI DSS compliance

As we recently discussed, any organisation that plans to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) by completing a self-assessment questionnaire (SAQ) needs to make sure they have selected the right form.

There are nine types of SAQ that apply in different circumstances.

SAQ A

For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.

It applies where:

  • The merchant’s website is hosted and managed by a PCI-compliant third-party payment processor; or
  • The merchant’s website provides an inline frame (iframe) or URL that redirects customers to a PCI-compliant third-party payment processor.

Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.

SAQ A-EP

For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.

It applies where:

  • The merchant’s website creates a payment form and “direct posts” payment data to a PCI-compliant third-party payment processor; or
  • The merchant’s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website.

SAQ B

For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.

Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant.

Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchant’s standalone dial-out terminal must be connected to a phone line and nothing else.

SAQ B-IP

For merchants that don’t store card data in electronic format but use IP-connected point-of-interaction (POI) devices. These merchants may handle either card-present or card-not-present transactions.

SAQ C-VT

For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.

SAQ C

For merchants that process cardholder data via point-of-sale (POS) systems or other payment application systems connected to the Internet.

To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.

SAQ D

For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale.

There are separate forms for merchants and service providers.

SAQ P2PE-HW

For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.

Merchants that use a PCI-validated point-to-point encryption (P2PE) solution and have implemented it successfully are eligible for SAQ P2PE-HW.

Before you go…

Hopefully you now know which SAQ applies to your organisation, but that doesn’t mean you’re ready to fill in the form. The PCI Security Standards Council encourages organisations to seek professional guidance before completing the SAQ.

To find out what that entails, you should watch our free webinar: PCI DSS: The self-assessment questionnaire.

This webinar goes into more detail on SAQs and helps you identify the steps you need to take to assess your compliance with the PCI DSS.

Register for PCI DSS: The self-assessment questionnaire >>