Determining the Apt SAQ

September 20, 2016 | By James Raymond


The Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaires (SAQs) are validation tools designed to help merchants and service providers report their PCI DSS self-assessment results. There are many different types of SAQs, and organizations have to identify the appropriate SAQ that suits their environment.

Before using any particular SAQ, the organizations must confirm that they adhere to the requirements for a particular SAQ. Organizations can also seek the assistance of the payment brands or their merchant bank to identify the suitable SAQ.

According to PCI DSS SAQ Instructions and Guidelines v3.1, the different types of SAQs are A, A-EP, B, B-IP, C, C-VT, D, and P2PE.

SAQ A: This SAQ is for merchants who have completely outsourced all the cardholder data functions to third-party service providers who are PCI DSS compliant. The merchant is not allowed to do any electronic storage, processing, or transmission of any cardholder data on their IT systems or premises. These are card-not-present merchants who typically do e-commerce or mail/telephone-order businesses.

SAQ A-EP: This is also for E-commerce merchants who outsource all of their payment processing to third parties who are PCI DSS validated. Additionally, they have websites that don’t receive cardholder data directly that can compromise the payment transaction. The merchant’s systems or
premises do not store, process or transmit cardholder data. Further, this SAQ is applicable only to e-commerce channels.

SAQ B: This SAQ is for merchants who use terminals and imprint machines that do not maintain any facility for storage of electronic cardholder data.

SAQ B-IP: This SAQ is specifically for merchants who use PTS-approved payment terminals that have an IP connection to the payment processor. They do not have any facility for storage of electronic cardholder data.

SAQ C: This SAQ is for merchants who have their payment application systems connected to the Internet. However, they do not store electronic cardholder data.

SAQ C-VT: This SAQ is for merchants who perform transactions manually one-by-one into a virtual payment terminal solution. This is just not an ordinary solution, but it is hosted by a third-party service provider who has been PCI DSS validated. The merchant should not have any facility for storage of electronic cardholder data.

SAQ P2PE: There is no storage of electronic cardholder data. The merchants are allowed to use only hardware payment terminals that are managed via a P2PE solution that is accepted by the PCI SSC.

SAQ D for Merchants: Merchants who do not fit the descriptions for the above listed SAQ types come under SAQ D.

SAQ D for Service Providers: Service providers that are allowed by a payment brand for completion of an SAQ fall under this category.

Merchants must meet the eligibility criteria for the specific SAQs. While these descriptions serve as a comprehensive guide, it is better that merchants contact their payment brands or their merchant bank for more elaborate guidance to determine their suitable SAQ.



No need to Worry about Website Malware

Free Website Security

Be Sociable, Share!


Add new comment

Your name

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>