Answer: This is based on how you intend to process credit card information.
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS 3.2.1 SAQ to meet various scenarios.
As shown below, you will need to select the appropriate SAQ document based on the manner in which you carry out business. For instance, e-commerce businesses would only need to look at rows where the column for “E-commerce Channel” is checked. Business that store cardholder data electronically would need to make sure the column for “Electronic Cardholder Data Storage Allowed” is checked.
SAQ D is a catch all for businesses that don’t fit nicely into the other categories. Any business is free to use SAQ D, although D contains the most questions and requirements.
SAQ Breakdown
| SAQ Name | Who Is Eligible? | E-commerce Channel? | Electronic Cardholder Data Storage Allowed? |
| SAQ A | E-commerce, mail or telephone merchants who have fully outsourced all credit card processing to a third party. To use this SAQ, no cardholder data can be stored, processed or transmitted on a merchant's systems or at their location of business. E-commerce techniques that would qualify for SAQ A include complete redirects to a third-party website and the use of an IFRAME. | ||
| SAQ A-EP | This SAQ is only for e-commerce merchants. The official wording from PCI SSC states that this would apply to " merchants who outsource all payment processing to PCI DSS validated third-parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction." Typical e-commerce techniques that would qualify for SAQ A-EP include direct post and the use of JavaScript. | ||
| SAQ B | This SAQ is for merchants who use old-fashioned imprint machines or credit card terminals that use dial-out technology. The credit card terminal would be connected to a phone line rather than an Internet connection. | ||
| SAQ B-IP | To qualify for this SAQ, the only method for credit card processing would be a standalone payment terminal with an IP connection to the payment processor. The terminal must also be PTS-approved. A list of PTS-approved devices can be found on the PCI Security Standards website here. | ||
| SAQ C-VT | This SAQ is for merchants who enter transactions into an Internet-based virtual terminal. The virtual terminal solution must be provided by a PCI DSS validated third-party. There are other requirements that must be met to qualify for SAQ C-VT. They can be read about at our page, "Do I qualify for SAQ C-VT?" | ||
| SAQ C | This SAQ is for merchants with payment application systems connected to the Internet that are not doing business via e-commerce. | ||
| SAQ P2PE | This SAQ is for merchants using only a validated P2PE solution. The P2PE hardware terminals must be listed as approved on the PCI Security Standards website here. | ||
| SAQ D | This SAQ is a catch all for any merchants that are eligible for the other SAQ types. |
Further guidance on which SAQ best applies to your business can be found in the official PCI guidelines or by discussing your situation with 1 Stop PCI Scan representatives.