PCI SAQ – What is it and to whom it applies?

Published on : 02 Mar 2021

PCI SAQ – What is it and to whom it applies?



Hello and welcome to our next in line “Ask the Expert” video. Today’s question is something that we have been often asked being a QAC company, involved in PCI DSS since 2008. With version 1.1, 1.2 and now to 3.2.1 and 4.0 coming up in PCI DSS, we are frequently asked questions on whether your company, be it a service provider or a merchant, whether you come under an SAQ or whether you need to do a full-fledged PCI DSS.

So, as far as the PCI Council is concerned, they have tried to be very fair in this. As per the PCI Council if you are a large scale merchant or a service provider then there are several requirements you need to fulfil and which may include following a particular process. If you are a small scale merchant, then depending on the process, you might need to follow a different version or a rather lower version of PCI DSS which also called an SAQ.

Now, why do we call it a lower version? Well, this is something that many people are not aware of. An SAQ – Self-Assessment Questionnaire contains a subset of the entire PCI DSS requirements. So, it is not a separate set of questions in an SAQ, it is just a separate number of questions.

It basically depends on what is applicable and when, based on the brand you are working with. Typically speaking here there is a level one, level two, level three and a level four, regardless of whether you are a merchant or a service provider. So, if you are a level one, then as stated by Visa if your transactions exceed more than 6 million transactions a year you fall under the level one merchant category.

So, in this case, you need to comply with the requirements that comes under PCI DSS standards. Here you are expected to do the full-fledged ASV scan, AOC, and ROC with a qualified and accredited QSA like our company.

If your yearly transactions are less than that, then depending on the number of transactions, you might need to follow a level two or a level three or a level four requirements. Now again, in this, there is a combination, whether it is American Express, MasterCard, JCB, diners or even Visa, each have their own number scheme.

The merchant levels and transaction numbers per year vary from card brand–to-brand is set by the brand themselves. So, this often creates a huge problem for a service provider, or a merchants like you as you have to calculate the number of transactions that you are doing in a year.

This is a complicated process and which is why you should ask your acquirer and they will tell you the best way to work around it. Some people also say that you should do a numbers check on your databases and you will get to know the numbers. But, we always recommend our clients to ask your acquirer.

Ask your acquirer and I would say, do not go with an individual’s choice. Ask your acquirer as to whether you are coming into level one, two, three, four, because they will know what is best and applicable for you. If you have got multiple acquirers then there is a problem because you have seen some service providers, depending on the brand, they might have – or depending on the issue – they might have a different service provider too.

So then you need to aggregate across the different acquirers that you might have. Again, coming back to the question in hand, if you are a level two, you will be required to do a Self-Assessment Questionnaire which is also called an SAQ and you will also need to do an ASV scan report. Same applies for service providers.

If you are on level three and four, here the reporting requirements are identified and determined by the payment plan or the acquirer. In case of a service provider, you can just do an SAQ and an ASV scan report. Now as the word suggests, SAQ which is the full form is Self-Assessment Questionnaires., they can be done by yourself on your own.

You do not need a QSA for that. But still, many service providers and merchants call us as a QSA and PSR. The reason being that when that SAQ is done by a QSA it carries better weightage when you submit them to your stakeholders, to your acquirers, to your issuers or whomsoever you need to submit it to. So, this carries more weightage because there is no bias in that case because you know, if you are assessing your own self, then you might get bias, right? So there are a total of nine SAQs, depending on the functions that you are carrying that you need to select from. And again, I would say the best way to identify which SAQ is applicable is by asking your acquirer.

Do not even ask your QSA or internal auditors or your managing directors. Ask your acquirers. They are the best person to tell you.

The first one is SAQ A. SAQ A is basically for card not present transactions, where all the cardholder functions are outsourced to PCI DSS Compliant service providers and SAQ A is not applicable for face to face channels. So, it basically applies to e-commerce and MOTO that is Mail Order Telephone Order merchants or service providers.

Next is A-EP which applies only to e-commerce channels, not for face to face channels. Basically e-commerce merchants who outsource all payment processing functions to PCI DSS validated third-parties on your website that do not directly receive cardholder data, they come under SAQ A-EP. Here there is no electronic storage, processing or transmission of cardholder data.

Next is a SAQ B which is for imprint only merchants. As you must have seen, some machines will place your card and get your payment details. That is SAQ B. Imprint only merchants with no electronic cardholder data storage or standalone dialog merchants. SAQ B incidentally, is also not applicable to e-commerce channels.

SAQ B IP is basically for merchants using PTS-approved devices with an IP connection directly to the payment processor with no electronic cardholder data storage. So in both the cases that are B and B-IP, it does not apply to e-commerce channels and there is no cardholder data storage.

Next is SAQ C. SAQ C is basically for merchants with segmented payment application systems with no electronic cardholder data storage, connected to the Internet of course. This is not applicable to e-commerce channels.

Next is SAQ C-VT which is for merchants using only web based virtual terminals. The VT sanzo virtual terminals with no electronic cardholder data storage and again not applicable to e-commerce channels. SAQ D, now whatever else doesn’t fit for merchants, they all come under SAQ D. SAQ D is of two types – SAQ D for merchants and SAQ D for service providers. If you are a service provider, by default you come under SAQ D for service providers. All merchants who do not fall in the earlier versions of SAQ, then you come under security for merchants.

Now P2P-E, that’s our next SAQ. Now P2P-E is also a certification standard on PCI in PCI SSC council standards. There is also an SAQ for P2P-E. So SAQ P2P-E is basically for merchants who have implemented a certified validated P2P encryption solution that is listed on the PCI SSC website with no electronic storage of cardholder data.

Again, it is not applicable for e-commerce channels. So, if we do a summation of all the types only SAQ A-EP is basically applicable for e-commerce channels. All the others, whether it is SAQ A, SAQ B, SAQ B-IP, SAQ C, SAQ C-VT even SAQ P2P-E these are not applicable for e-commerce channels.

SAQ A-EP is basically for e-commerce channels, there is SAQ D for merchants, SAQ D for service providers, which again can be used for e-commerce channels. SAQ D as I said earlier, for service providers is the only one that can be used by the service providers. If you really find this confusing, as said earlier, do not rely on your own understanding, I would again suggest that you reach out to your acquirer; they are the best to guide you.

Why do I say that? The reason is that, we have seen merchants and service providers with hardly a handful, maybe a few 100 transactions because they are like start-ups, and they thought that they can get away with an SAQ. But, if the acquirer determined them as a high risk potential client, then they may ask you for a full-fledged PCI DSS and implementation of all the controls.

Out of all this, SAQ A has the least number of controls with 22 Questions Only and a security that has a maximum 329 questions. And we just finished an SAQ D for an international company. But what happened? Guess what? They finished the entire assignment, presented the SAQ D to the acquirer and to the client, the acquirer said, it is fine.

You are okay with an SAQ, but the client said no, we will not accept an SAQ, and you better do a full-fledged PCI DSS with an AOC ROC. So, eventually they had to come back to us. Of course, we tried to help them out as much as possible, but these things are possible. So, word of advice, word to the wise, do not depend on your own understanding, ask your acquirer, ask your client who has asked you to do this.

And they will be the best people to tell you what version of SAQ if at all to go in for or should we do a full-fledged PCI DSS. If you are still confused somewhere if you need to have a word with us, you can see our email address on the screen. Drop us a line on the email address. See ask us at Vista Infosec.com and we will get back to you. So, I really hope this video, though confusing, was helpful to you. And if you still have more doubts, drop us a line if you have any more questions that you’d like us to do. Look at the email address on your screen and drop us a line. Until next time, take care.


Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.