How Do I Determine Which SAQ To Complete?

Answer: This is based on how you intend to process credit card information.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios.

There are a variety of SAQ categories, shown in the table below.  The following SAQ descriptions were taken directly from the PCI SSC document Understanding the SAQs for PCI DSS version 3.

SAQ Description

SAQ Description
A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels

A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Applicable only to e-commerce channels

B Merchants using only:

• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels

B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.

Not applicable to e-commerce channels.

C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.

Not applicable to e-commerce channels

C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

Not applicable to e-commerce channels.

P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

Not applicable to e-commerce channels.

D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

Further guidance on which SAQ best applies to your business can be found in the official PCI guidelines or by discussing your situation with 1 Stop PCI Scan representatives.