Blog Index

What is a PCI SAQ and Which is Best For Your Business?

Published:
Author:
Giulio Saggin

A PCI SAQ (Payment Card Industry Self-Assessment Questionnaire) is part of what a merchant needs to meet PCI compliance i.e. show they are keeping cardholder data safe by all the necessary measures set out in the PCI DSS. In effect, one is needed for a business to accept credit card payments.

However, this isn't a "one size fits all" scenario. There are numerous SAQ's, from SAQ A and its 22 questions to SAQ D and it's 300+ questions, and each is particular to the business using it - there is one for e-commerce businesses, while another is for traditional 'bricks and mortar' business - and the volume of card data being transacted.

Using SecAlerts as an example, we outsource all cardholder data transactions to a payment gateway (service provider), so are 'eligible' for SAQ A. Handily, our service provider even fills this out for us.

The list of SAQs below may read as straightforward, but looks can be deceiving (remember, one has more than 300 questions!). You may be lucky and have someone in your workspace who can fill out the necessary SAQ. If not, best approach your service provider or QSA and let them do the work for you.

List of PCI SAQs:

A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels.

A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.

B
Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.

B-IP
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.

C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.

P2PE
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

D
SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment card brand as eligible to complete a SAQ.

The PCI DSS Quick Reference Guide can assist with further information.

PCI DSS
PCI Requirements
PCI SAQ
PCI SSC
QSA
Qualified Security Assessor
cyber security
cybersecurity
payment gateway
pci compliance

Signup for vulnerability alerts

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203