PCI DSS SAQ: Details you’ll want to know

PCI DSS Self-Assessment Questionnaires (SAQs) are assessment forms designed to help merchants and service providers self-assess their PCI DSS compliance.

Completing the PCI SAQ form is one-way merchants can demonstrate their compliance with the buyer banks and, therefore, the five founders of the PCI SSC.

See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?

SAQ questions allow you to self-assess your company’s security situation and give you the chance to study and reflect on your company’s security practices.

Multiple versions of PCI DSS SAQs are available to meet different scenarios of merchants and service providers.

See Also: Choosing the Right PCI DSS SAQ

The PCI Self-Assessment Questionnaire asks a set of yes or no questions for each PCI Data Security Standard requirement in place. If the answer to the question is no, the company should state the date of future improvement and related actions.

There are 8 PCI SAQ forms for merchants and 1 for service providers. You must choose the SAQ form that is right for your company. That’s why we tried to simplify the SAQ types with step-by-step instructions for easy understanding. First, let’s start with the general definitions of all SAQ types and their compatible job types.

Depending on your compliance level and how you handle payment card information, several different types of PCI DSS SAQs apply:

PCI SAQ A

See Also: SAQ A What to Know, and What to Do

The Self-Assessment Questionnaire A applies to merchants where approved third parties manage card data. Including sellers who take orders by mail/phone and e-commerce. PCI SAQ A cannot be used to channels with face-to-face card operation.

PCI DSS SAQ A was created to meet specific requirements for merchants where transactions involving cardholder data are outsourced to fully approved third parties and where paper reports or cardholder data receipts are maintained.

For SAQ A, merchants can make card transactions via e-commerce or by mail/phone. However, to be included in this scope, a transaction must be made when the card is not physically available.

Besides, these merchants cannot store, process, or transmit any cardholder data in electronic format in their systems or facilities.

SAQ A merchants must indicate that they meet the eligibility criteria for payment channels as follows:

• Your organization should only allow cardless transactions (e-commerce or mail/phone order).
• Cardholder data processing should be outsourced to third-party service providers verified by PCI DSS.
• Your organization must not electronically store, process, or transmit any cardholder data on your networks or facilities. However, to perform all these functions, it must work entirely with a third-party service provider.
• Your organization must confirm that all third parties that store, process, or transmit cardholder data are compliant with PCI DSS.
• All cardholder data held by the organization must be on paper, and these documents must not be retrieved or stored electronically. The company can only keep reports or statements on form with cardholder data.
• Also, for e-commerce channels; All payment pages transmitted to the consumer’s device and provided in the consumer’s browser must only come from third-party service provider resources approved through PCI DSS.

SAQ A is not applied to face-to-face channels. It is only applicable to payment channels where the payment card is not physically located.

PCI SAQ A-EP

See Also: SAQ A-EP The What and the How

Self-Assessment Questionnaire A-EP applies to electronic commerce merchants that outsource payment transactions from PCI DSS approved third parties but do not manage the respective website.

PCI SAQ A-EP has been developed to meet requirements applicable to e-commerce organizations that have websites that do not receive cardholder data itself but affect the security of the payment process or the integrity of the page that accepts cardholder data the consumer.

PCI DSS SAQ A-EP is suitable for use by electronic commerce merchants. They partially transfer e-commerce payment services to PCI DSS-approved third parties and do not electronically store, process, or transmit any cardholder data in their systems.

PCI SAQ A-EP merchants must meet the following eligibility criteria for payment channels:

• Your company should only accept transactions through e-commerce.
• The processing of all cardholder data other than the payment page must be done entirely by a third party payment processor certified by PCI DSS.
• Your e-commerce website should not receive cardholder data but should control how consumers or cardholder data are routed to a third-party payment processor validated by PCI DSS.
• If a third party company operates the website, the third-party company must meet all applicable PCI DSS requirements, and verification must also be provided.
• All payment pages’ components must be provided to the consumer’s browser from the vendor’s website or a PCI DSS service provider.
• Your company must not store, process, or transmit any cardholder data electronically on your systems or facilities. It must work entirely with third parties to perform all these functions.
• Your company must certify that all third parties that store, process, or transmit cardholder data are PCI DSS compliant.
• Cardholder data stored by your company must be on paper and not received electronically.

SAQ A-EP can only be applied for e-commerce channels. It cannot be used to face-to-face payment channels where the payment card is physically located.

PCI SAQ B

See Also: SAQ B What Your Business Needs to Do

The Self-Assessment Questionnaire B is for e-commerce merchants who do not receive cardholder data but check how the data is transmitted to a third-party payment processor. PCI SAQ B cannot be applied to e-commerce channels.

SAQ B has been developed to address the requirements applicable to merchants processing cardholder data only through slip machines or stand-alone, call-out terminals.

SAQ B merchants include either traditional card-based businesses or merchants in the form of mail or telephone orders without a card. Besides, SAQ B merchants cannot store cardholder data on any computer system.

SAQ B merchants must meet the following eligibility criteria for payment channels:

• Your company should only use a non-electronic imprinting machine or electronic point of sale (POS) with independent dialing terminals that connect to your processor via a phone line to obtain payment card information from your customers.
• Independent, dial-up terminals within the network should not be connected to any other system.
• Independent dial-up terminals must not have an Internet connection.
• Your organization should not transmit cardholder data over an internal network or the internet.
• Cardholder data stored by your company must be on paper and not received electronically.
• No cardholder data should be stored in electronic format by your company.

SAQ B cannot be applied to e-commerce channels. It can be applied to merchants using only one slip machine or stand-alone, dial-up terminals as a payment channel.

PCI SAQ B-IP

See Also: SAQ B-IP Protecting Your Card Data

Self-Assessment Questionnaire B-IP is valid for merchants that do not store cardholder data electronically but use IP-connected point of interaction (POI) devices. Such merchants can manage card transactions or cardless transactions. PCI SAQ B-IP cannot be applied to e-commerce channels.

PCI DSS SAQ B-IP was created for merchants that process cardholder data only through PIN Transaction Security (PTS) approved point-of-interaction (POI) devices with an IP connection to the payment processor.

PCI SAQ B-IP merchants can be traditionally card-based and card-free mail/telephone transactions, but they do not store cardholder data on any computer system.

SAQ B-IP merchants must meet the following eligibility criteria for payment channels:

• Your company must use stand-alone, and PIN Transaction Security (PTS) approved point-of-interaction (POI) devices (excluding Secure Card Readers – SCRs) that connect to your payment processor via IP to obtain payment card information from your customers.
• Stand-alone, IP-connected point of interference (POI) systems must be validated as described on the PCI SSC site (Secure Card Readers – excluding SCRs) for the PIN Transaction Security (PTS) POI program.
• Independent, IP-connected interfacing point devices in your environment should not be connected to any other system.
• Transmission of cardholder data to the payment processor should only be made through PIN Transaction Security (PTS) approved point of interaction (POI) devices.
• The POI device must not be connected to any other system to connect to the payment processor.
• Cardholder data stored by your company must be on paper and not received electronically.
• Your company should not store cardholder data in electronic form.

PCI SAQ C

See Also: PCI SAQ C Securing Your Payment Application

Self-Assessment Questionnaire C is valid for merchants with internet-connected payment application systems. SAQ C merchants cannot store electronic cardholder data. Additionally, PCI SAQ C cannot be applied to e-commerce channels.

Payment application systems such as SAQ C, point-of-sale systems have been developed to meet merchants’ relevant needs connected to the internet.

PCI DSS SAQ C member merchants include businesses that process cardholder data through point-of-sale (POS) system or other internet-connected payment processing systems, do not store cardholder data in any computer system, and perform cardless transactions over a traditional card or mail/telephone.

SAQ C merchants must meet the following payment channel eligibility criteria:

• Your organization must have a payment application system and an internet connection on the same device or the same local area network (LAN).
• The payment processing system or internet device on your network should not be connected to any other network. Network segmentation can be made to separate the payment application system or internet device from all other systems.
• The POS environment’s physical location should not be connected to other sites or facilities, and any LAN should be valid only for a single store.
• All cardholder data held by the organization must be on paper and not available online.
• Your organization should not store cardholder data in electronic form.

PCI SAQ C-VT

See Also: SAQ C-VT The Basics You Should Know

Self-Assessment Questionnaire C-VT is valid for merchants that process cardholder data via a virtual payment terminal instead of a computer system.

SAQ C-VT has been developed to address specific criteria specific to merchants that process cardholder data only through web-based payment applications isolated on an internet-connected personal computer.

A virtual payment terminal is a web browser-based gateway to a buyer, processor, or third-party service provider’s website to allow payment card transactions where the user manually enters payment card details via a securely connected web browser.

Virtual payment terminals do not read data directly from a payment card, unlike physical terminals. Transactions made with the payment card are entered manually.

PCI DSS SAQ C-VT merchants use only payment terminal software to process cardholder data and not store cardholder data on any computer system. Such virtual terminals connect to the internet to access a third party managing the virtual terminals’ payment processing feature.

This third party may be a processor, recipient, or other third-party service provider that stores, processes, or transmits cardholder data to authorize or fulfill web-based payment application transactions for merchants.

SAQ C-VT is intended to be applied to merchants that enter a virtual internet terminal solution with only one operation manually via a keyboard. Traditionally, SAQ C-VT merchants can perform cardless transactions via card or mail/telephone channels. However, SAQ C-VT cannot be applied to e-commerce channels.

SAQ C-VT merchants must meet the following eligibility criteria for payment channels:

• Your business’s only payment method should be a virtual payment terminal accessible via a web browser connected to the internet.
• Your business’s virtual payment terminal system must be provided and hosted by a third-party service provider certified by PCI DSS.
• Your company must use a PCI DSS compliant web-based payment application from the isolated device that is not connected to other locations or systems on your network.
• No software that might cause the storage of cardholder data must be installed on your company’s computers.
• No hardware devices used to capture or store cardholder data on your company’s computers are connected.
• Your organization should not receive or electronically transmit cardholder data through any other channel.
• All cardholder data held by the organization must be on paper and not available online.
• Your organization should not store cardholder data in electronic form.

PCI SAQ D

See Also: SAQ D What’s Required for Service Providers

There are two versions of SAQ D for merchants and service providers. SAQ D applies to merchants that do not meet the criteria for any other SAQ type. It also applies to all service providers identified by a payment brand as eligible for SAQ completion.

PCI DSS SAQ D merchants including, but not limited to, environments may include:

• E-commerce companies that accept cardholder data on their websites;
• Merchants that store cardholder data electronically;
• Companies that do not store cardholder data electronically but do not meet the criteria of another SAQ format;
• Media vendors can meet the criteria of another SAQ format but have additional PCI DSS requirements for their environment.
• SAQ D for Service Providers applies to all service providers defined by a payment brand following SAQ.

PCI SAQ P2PE

See Also: A Brief Look at PCI SAQ P2PE

Self-Assessment Questionnaire P2PE applies to merchants using a PCI SSC approved and listed point-to-point encryption solution. Therefore, SAQ P2PE does not apply to organizations dealing with e-commerce.

PCI DSS SAQ P2PE has been developed to meet current requirements for merchants that process cardholder data only through payment terminals that include a certified Point-to-Point Encryption (P2PE) solution specified the PCI SSC.

SAQ P2PE merchants do not have access to clear text account data on any computer system. Card data is entered only through hardware payment terminals with a P2PE solution approved by PCI SSC.

Traditionally, PCI SAQ P2PE merchants can operate in a card-based or postal / telephone channel without a card. For example, they can receive cardholder data either on paper or via a computer, in which case a mail/telephone order vendor may be eligible for SAQ P2PE and enter the payment directly and only on a verified P2PE hardware device.

SAQ P2PE merchants must meet the following eligibility criteria for payment channels:

• All payment transactions must be made through a PCI Point-to-Point Encryption (P2PE) solution validated and listed by PCI SSC.
• Systems that store, process, or transmit card data in the business environment must use approved and PCI-listed P2PE solutions and must have approved Point of Interaction (POI) devices.
• Your organization should not otherwise receive or electronically transmit cardholder data.
• Old data should not be stored in the electronic cardholder data environment.
• All cardholder data held by the organization must be on paper and not available online.
• Your organization must implement all controls provided by the P2PE Solution Provider in the P2PE Instruction Manual (PIM).

Which PCI SAQ is suitable for my environment?

It would help if you chose the correct SAQ, as each SAQ type has different compliance requirements based on payment card data processing. By doing more than overlooking a procedural aspect of PCI DSS, if you consider yourself against a wrong set of requirements, you will be meeting non-applicable needs and wasting your resources.

See Also: Choosing the Right PCI DSS SAQ

Choosing the right survey is crucial, as selecting the wrong SAQ can invalidate your compliance and leave the payment card data and environment vulnerable to a higher risk of a breach.

By answering the questions below, you can determine the SAQ that is suitable for your environment:

You can check the PCI SSC Document Library to review all PCI SAQ types and get detailed information.