A PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant’s statement of PCI compliance. It’s a way to show that you're taking the security measures needed to keep cardholder data secure at your business.
Each SAQ includes a list of security standards that businesses must review and follow. PCI SAQs vary in length. SAQ A is the shortest with just 31 questions, and the longest is SAQ D with 251 questions.
If you're wondering, "which SAQ is right for me?" there are 9 different SAQs a merchant can choose from. How you process credit cards and handle cardholder data determines which SAQ your business needs to fill out.
For example, if you don't have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you do have a storefront that processes credit cards through the Internet and you also store customer credit card data, you're probably an SAQ D merchant.
Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:
SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data transmission, processing, or storage. Not for e-commerce environments.
SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce environments.
SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce environments.
SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
SAQ D for Merchants is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.
This table gives more detail about each of the PCI DSS SAQ types:
Watch this video to learn what you should know before you begin filling out your PCI SAQ questionnaire.
Why are SAQs required?
The Self-Assessment Questionnaire isn’t just a roadmap to compliance; it’s a roadmap to better security. Filling out a PCI SAQ is the best way to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide a PCI SAQ as proof of payment security.
Remember that no matter your SAQ type, you're still required to follow ALL the PCI DSS standards. Doing so may require vulnerability scans, penetration tests, and/or audits.
.svg)
