In the world of digital transactions, businesses handling payment cards must demonstrate their data security measures through the Payment Card Industry Self-Assessment Questionnaire (PCI SAQ). Completing the SAQ is a key step in the PCI DSS assessment process, followed by an Attestation of Compliance (AoC) to confirm accuracy.
Level 1 merchants and service providers, mandated by PCI SSC or customers, must complete a Report on Compliance (RoC), while others use an SAQ.
It’s worth noting that having a Qualified Security Assessor (QSA) complete the SAQ can enhance its credibility and value due to their expertise.
Choosing the right PCI SAQ among the 10 options (9 for merchants and 1 for service providers) can seem daunting, especially with the introduction of SAQ SpoC in PCI DSS v4.0. Your choice depends on your credit card transaction and cardholder data management. We’ve designed a user-friendly visual decision tree to simplify the selection process, now updated to include the new SAQs from PCI DSS v4.0.
Which SAQ is the Right Choice for You?
1. SAQ A:
SAQ A is a fit for businesses that outsource card data functions and solely keep paper records with account data. They can operate as e-commerce or mail/telephone-order, without managing electronic account data. This SAQ is for card-not-present transactions and doesn’t apply to face-to-face channels or service providers.
Eligibility Requirements:
- Acceptance of only card-not-present transactions.
- Full outsourcing of account data processing to a PCI DSS compliant third-party.
- Complete reliance on the third-party to manage account data.
- Confirmation of the compliance of their third-party.
- Retention of any account data in paper form, not received electronically.
2. SAQ A-EP:
SAQ A-EP is a Self-Assessment Questionnaire for e-commerce merchants who indirectly impact transaction security by partially outsourcing their payment processing to PCI DSS compliant third parties, without handling account data electronically. It’s only applicable for e-commerce channels, not service providers.
Eligibility Requirements:
- Acceptance of e-commerce transactions only.
- Outsourcing of account data processing to a PCI DSS compliant third-party.
- Management of customer redirection to a compliant third-party.
- Origination of payment page elements from either their website or a compliant third-party.
- Retention of any account data in paper form rather than receiving it electronically.
3. SAQ B:
SAQ B is designed for brick-and-mortar or mail/telephone order merchants who use imprint machines or standalone dial-out terminals for payment processing, excluding e-commerce channels or service providers. It ensures PCI DSS compliance without storing account data electronically.
Eligibility Requirements:
- Usage of only imprint machines or standalone dial-out terminals.
- No connection of these devices to other systems or the internet.
- No electronic storage of account data.
Retention of any account data in paper format, not received electronically.
4. SAQ B-IP:
SAQ B-IP is a self-assessment questionnaire for brick-and-mortar and mail/telephone order merchants using standalone, PCI-approved PTS POI devices with an IP connection to the payment processor, excluding SCRs and SCRPs. It’s not for e-commerce channels or service providers.
Eligibility Requirements:
- Usage of standalone, validated PTS POI devices that are IP-connected to the payment processor and operate independently.
- No connection of these devices to other systems.
- No electronic storage of account data.
- Transmission of account data should only be from the PTS POI device to the payment processor.
- Retention of any account data in paper format.
5. SAQ C:
SAQ C is for merchants operating via a point-of-sale (POS) system or other payment application systems connected to the internet, without storing electronic account data. It’s not for e-commerce channels or service providers.
Eligibility Requirements:
- A payment application system and an internet connection on the same device and/or same local area network (LAN) is required.
- The device/LAN should be isolated from other systems through network segmentation.
- The physical location of the POS environment must not be connected to other premises or locations and must be for a single store only.
- Any retained account data must be in paper format, such as printed reports or receipts, and not received electronically.
6. SAQ C-VT:
SAQ C-VT is a Self-Assessment Questionnaire for merchants using Virtual Payment Terminal solutions to process cardholder data, without reading data from a physical card.
Eligibility Requirements:
- Manual input of payments through a single, Internet-connected device is required, either as a brick-and-mortar or mail/telephone-order merchant.
- No storage of account data on computer systems.
- All payments processed via an internet-connected web browser with a PCI DSS compliant third-party service provider.
- No hardware device capturing or storing account data.
- No software installed on the device for account data storage.
- No electronic receipt, transmission, or storage of account data.
- Any retained account data should be on paper and not received electronically.
7. SAQ P2PE:
SAQ P2PE is a self-assessment questionnaire for merchants who exclusively process account data through a PCI-listed P2PE solution, without handling clear-text account data on any computer system. These merchants enter account data solely through validated P2PE payment terminals.
Eligibility Requirements:
- It’s applicable for both brick-and-mortar and mail/telephone-order merchants, but not for e-commerce channels or service providers.
- All payment processing must occur through a validated P2PE solution with only P2PE payment terminals storing, processing, or transmitting account data.
- The account data retained by these merchants must be on paper and not received electronically.
- To stay compliant, merchants must follow the controls outlined in the P2PE Instruction Manual provided by the P2PE Solution Provider.
8. SAQ SPoC (A New Addition to PCI DSS 4.0):
SAQ SPoC is for merchants using PCI-approved Secure Card Reader-PIN (SCRP) and commercial off-the-shelf (COTS) mobile devices in a validated Software-based PIN Entry on COTS (SPoC) solution for card-present transactions.
Eligibility requires:
- Using card-present channels for payment processing.
- Exclusively using PCI SSC-approved SCRP in the SPoC solution for cardholder data entry.
- Processing account data only within the SPoC environment.
- No electronic receipt, transmission, or storage of account data.
- Isolation of the payment channel from other systems.
- Retaining account data on paper, not electronically.
- Implementing controls from the SPoC user guide by the SPoC Solution Provider.
This SAQ is not suitable for unattended card-present, MOTO, or e-commerce transactions, and service providers are ineligible.
9. SAQ D for Merchants:
SAQ D for Merchants is designed for merchants who are eligible to complete a self-assessment questionnaire but do not qualify for any other SAQ types. This encompasses merchants who:
- Handle their own credit card processing
- Do not utilize a Point-to-Point Encryption (P2PE) solution
- May electronically store credit card data
Merchant environments that typically use SAQ D include, but are not limited to:
- E-commerce merchants who accept cardholder data on their website
- Merchants who electronically store cardholder data
10. SAQ D for Service Providers:
SAQ D for Service Providers is applicable to all service providers recognized by a payment brand as eligible to complete a self-assessment questionnaire, including those storing credit card data.
Service providers processing fewer than 300,000 card transactions annually have the option to use SAQ D or submit a Report on Compliance (ROC), while those processing more than 300,000 transactions annually are required to submit a ROC.
Conclusion:
Our guide on choosing the right PCI SAQ for your business aims to help you identify the most suitable SAQ. If you’re still unsure, you can seek advice from your acquiring organization, merchant bank, payment brand, or a Qualified Security Assessor (QSA). Also, check out our YouTube video on this topic.
Lets us help you
Need help navigating PCI DSS v4.0? We have been active in the PCI DSS space since 2008 and even certify payment brand. Our PCI DSS services provide assurance on card security controls, with offerings for both product platform and backend services attestation.
We have a dedicated team of auditors and a separate team for consulting/advisory assignments to even help our esteemed clients to define processes and achieve compliance.
We have completed multiple PCI DSS 4.0 certifications too right from scoping to Readiness Assessment, Advisory and Final Certification.
We are vendor neutral and have a strict no-outsourcing policy. We can also assist you with the technical assessments needed for PCI DSS Compliance – Vulnerability Assessment, Penetration Testing, Network Segmentation Testing, Network Architecture Review, Firewall Assessment, Secure Configuration Assessment, Web and Mobile Application Security Assessment, and Secure Code Review.
