How Do I Determine Which SAQ To Complete?

Answer: This is based on how you intend to process credit card information.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios.

There are five SAQ categories, shown briefly in the table below:

SAQ Description

SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

Further guidance on which SAQ best applies to your business can be found in the following document provided by the PCI Council: PCI DSS SAQ Instructions Guide.