Confused about PCI SAQ options? This guide unravels the selection process to find the perfect fit for your business's payment processing and cardholder data handling.
1. How to Choose Right PCI SAQ for Your
Business
In the world of digital transactions, businesses handling payment cards must demonstrate their
data security measures through the Payment Card Industry Self-Assessment Questionnaire (PCI
SAQ). Completing the SAQ is a key step in the PCI DSS assessment process, followed by an
Attestation of Compliance (AoC) to confirm accuracy.
Level 1 merchants and service providers, mandated by PCI SSC or customers, must complete a
Report on Compliance (RoC), while others use an SAQ.
It's worth noting that having a Qualified Security Assessor (QSA) complete the SAQ can
enhance its credibility and value due to their expertise.
Choosing the right PCI SAQ among the 10 options (9 for merchants and 1 for service providers)
can seem daunting, especially with the introduction of SAQ SpoC in PCI DSS v4.0. Your choice
depends on your credit card transaction and cardholder data management. We've designed a user-
friendly visual decision tree to simplify the selection process, now updated to include the new
SAQs from PCI DSS v4.0.
Let's dive into the available SAQ options:
https://www.vistainfosec.com/blog/qsa-in-pci-dss-compliance-audit/
https://www.vistainfosec.com/blog/pci-roc-what-you-need-to-know/
2. Which SAQ is the Right Choice for You?
1. SAQ A:
SAQ A is a fit for businesses that outsource card data functions and solely keep paper records
with account data. They can operate as e-commerce or mail/telephone-order, without managing
electronic account data. This SAQ is for card-not-present transactions and doesn't apply to face-
to-face channels or service providers.
Eligibility Requirements:
● Acceptance of only card-not-present transactions.
● Full outsourcing of account data processing to a PCI DSS compliant third-party.
● Complete reliance on the third-party to manage account data.
● Confirmation of the compliance of their third-party.
● Retention of any account data in paper form, not received electronically.
2. SAQ A-EP:
SAQ A-EP is a Self-Assessment Questionnaire for e-commerce merchants who indirectly impact
transaction security by partially outsourcing their payment processing to PCI DSS compliant
third parties, without handling account data electronically. It’s only applicable for e-commerce
channels, not service providers.
Eligibility Requirements:
● Acceptance of e-commerce transactions only.
● Outsourcing of account data processing to a PCI DSS compliant third-party.
● Management of customer redirection to a compliant third-party.
● Origination of payment page elements from either their website or a compliant third-
party.
● Retention of any account data in paper form rather than receiving it electronically.
3. SAQ B:
SAQ B is designed for brick-and-mortar or mail/telephone order merchants who use imprint
machines or standalone dial-out terminals for payment processing, excluding e-commerce
channels or service providers. It ensures PCI DSS compliance without storing account data
electronically.
https://www.vistainfosec.com/blog/is-pci-compliance-cost-really-worth-the-investment/
https://www.vistainfosec.com/blog/tips-for-an-e-commerce-business-to-achieve-pci-dss-compliance/
https://www.vistainfosec.com/service/pci-dss-audit-certification-service/
3. Eligibility Requirements:
● Usage of only imprint machines or standalone dial-out terminals.
● No connection of these devices to other systems or the internet.
● No electronic storage of account data.
● Retention of any account data in paper format, not received electronically.
4. SAQ B-IP:
SAQ B-IP is a self-assessment questionnaire for brick-and-mortar and mail/telephone order
merchants using standalone, PCI-approved PTS POI devices with an IP connection to the
payment processor, excluding SCRs and SCRPs. It’s not for e-commerce channels or service
providers.
Eligibility Requirements:
● Usage of standalone, validated PTS POI devices that are IP-connected to the payment
processor and operate independently.
● No connection of these devices to other systems.
● No electronic storage of account data.
● Transmission of account data should only be from the PTS POI device to the payment
processor.
● Retention of any account data in paper format.
5. SAQ C:
SAQ C is for merchants operating via a point-of-sale (POS) system or other payment application
systems connected to the internet, without storing electronic account data. It’s not for e-
commerce channels or service providers.
Eligibility Requirements:
● A payment application system and an internet connection on the same device and/or same
local area network (LAN) is required.
● The device/LAN should be isolated from other systems through network segmentation.
● The physical location of the POS environment must not be connected to other premises or
locations and must be for a single store only.
● Any retained account data must be in paper format, such as printed reports or receipts,
and not received electronically.
4. 6. SAQ C-VT:
SAQ C-VT is a Self-Assessment Questionnaire for merchants using Virtual Payment Terminal
solutions to process cardholder data, without reading data from a physical card.
Eligibility Requirements:
● Manual input of payments through a single, Internet-connected device is required, either
as a brick-and-mortar or mail/telephone-order merchant.
● No storage of account data on computer systems.
● All payments processed via an internet-connected web browser with a PCI DSS
compliant third-party service provider.
● No hardware device capturing or storing account data.
● No software installed on the device for account data storage.
● No electronic receipt, transmission, or storage of account data.
● Any retained account data should be on paper and not received electronically.
7. SAQ P2PE:
SAQ P2PE is a self-assessment questionnaire for merchants who exclusively process account
data through a PCI-listed P2PE solution, without handling clear-text account data on any
computer system. These merchants enter account data solely through validated P2PE payment
terminals.
Eligibility Requirements:
● It’s applicable for both brick-and-mortar and mail/telephone-order merchants, but not for
e-commerce channels or service providers.
● All payment processing must occur through a validated P2PE solution with only P2PE
payment terminals storing, processing, or transmitting account data.
● The account data retained by these merchants must be on paper and not received
electronically.
● To stay compliant, merchants must follow the controls outlined in the P2PE Instruction
Manual provided by the P2PE Solution Provider.
8. SAQ SPoC (A New Addition to PCI DSS 4.0):
SAQ SPoC is for merchants using PCI-approved Secure Card Reader-PIN (SCRP) and
commercial off-the-shelf (COTS) mobile devices in a validated Software-based PIN Entry on
COTS (SPoC) solution for card-present transactions.
https://www.vistainfosec.com/blog/pci-pin-a-quick-intro/
5. Eligibility requires:
● Using card-present channels for payment processing.
● Exclusively using PCI SSC-approved SCRP in the SPoC solution for cardholder data
entry.
● Processing account data only within the SPoC environment.
● No electronic receipt, transmission, or storage of account data.
● Isolation of the payment channel from other systems.
● Retaining account data on paper, not electronically.
● Implementing controls from the SPoC user guide by the SPoC Solution Provider.
This SAQ is not suitable for unattended card-present, MOTO, or e-commerce transactions, and
service providers are ineligible.
9. SAQ D for Merchants:
SAQ D for Merchants is designed for merchants who are eligible to complete a self-assessment
questionnaire but do not qualify for any other SAQ types. This encompasses merchants who:
● Handle their own credit card processing
● Do not utilize a Point-to-Point Encryption (P2PE) solution
● May electronically store credit card data
Merchant environments that typically use SAQ D include, but are not limited to:
● E-commerce merchants who accept cardholder data on their website
● Merchants who electronically store cardholder data
10. SAQ D for Service Providers:
SAQ D for Service Providers is applicable to all service providers recognized by a payment
brand as eligible to complete a self-assessment questionnaire, including those storing credit card
data.
Service providers processing fewer than 300,000 card transactions annually have the option to
use SAQ D or submit a Report on Compliance (ROC), while those processing more than 300,000
transactions annually are required to submit a ROC.
6. Conclusion:
Contact Us
Our guide on choosing the right PCI SAQ for your business aims to help you identify the most
suitable SAQ. If you’re still unsure, you can seek advice from your acquiring organization,
merchant bank, payment brand, or a Qualified Security Assessor (QSA). Also, check out our
YouTube video on this topic.
At VISTA InfoSec, we specialize in PCI DSS compliance and our team is ready to guide you,
answer your questions, and help identify the best SAQ for your needs. Don’t hesitate to
contact us at VISTA InfoSec for a seamless and successful journey towards PCI DSS
compliance.
We hope you found this blog post informative and helpful. If you have any questions or need
further clarification on any points, please feel free to ask. We value your feedback and are
Original Published On: VISTA InfoSec
here to assist you. Your understanding and success are our top priorities.
info@vistainfosec.com
www.vistainfosec.com
US Tel: +1-415-513-5261
UK Tel: +442081333131
SG Tel: +65-3129-0397
IN Tel: +91 73045 57744
Dubai Tel: +971507323723
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fsi%3DR4zskDWENz92pyHs&v=9kAsRe7t26g&feature=youtu.beipsum
https://www.vistainfosec.com/
https://www.vistainfosec.com/
https://www.facebook.com/vistainfosec https://twitter.com/vistainfosec https://www.youtube.com/c/vistainfosecofficial https://www.linkedin.com/company/vistainfosec/