The PCI SAQ: Which One is Right for You?

Geoff Yeagley
Jan 9, 2017 11:38:20 AM

PCI self-assessment questionnaires (SAQs) are tools that merchants and service providers must complete as evidence of their completion of the PCI DSS self-assessment. These SAQs need to be submitted yearly to your acquiring bank to demonstrate compliance with the latest version of the PCI Data Security Standards, which is currently PCI DSS 3.2.

When you navigate to the PCI Security Standards Council website, you will see a list of 8 PCI SAQs to choose from, based on your organization and how you process credit card transactions. Needless to say, choosing the right one can be a bit confusing and overwhelming. While the PCI Security Standards Council has a chart that you can review here, I wanted to give you a quick rundown on the different PCI SAQs, the conditions that you must meet for each SAQ, how they differ from one another, as well as a tip on how to choose the right one. Here are the SAQs:

  • SAQ A - Condition # 1 is the organization must be a Card Not Present (CNP) merchant. This means that any merchant that accepts credit cards as a form of payment through an e-commerce site, over the telephone, or through the mail. Condition # 2 is that they must fully outsource all cardholder data functions to a PCI DSS validated third party (Service Provider) and they do not store, process, or transmit any cardholder data on their network.
  • SAQ A-EP - Condition # 1 is the organization must only accept credit card payments via an e-commerce channel (website). This eliminates payments via credit card through the mail, telephone, or fax. Condition # 2 is that the organization must have a website or multiple websites that does not receive cardholder data but could impact the security of the transaction. In English, this would mean a secure redirect to a third-party for payment that might appear to be a part of your website (iframe). That redirect could impact the security of the transaction. Condition # 3 is that the merchant does not store, process or transmit any cardholder data on their own systems.
  • SAQ B - Condition # 1 is for Card Present transactions where you are using the card in front of another person. This eliminates any e-commerce channels as those are Card Not Present Transactions. Condition # 2 is the merchant must be using either an imprint machine with no cardholder data stored or standalone, dial-up terminals with no electronic cardholder data storage.
  • SAQ B-IP - Condition # 1 is the merchant must be using standalone, PTS approved terminals. PTS stands for PIN Transaction Security so think keypads to enter your PIN when using a debit card. Condition # 2 is that these terminals must be IP connected, or connected to the Internet (not dial-up like SAQ B) and do not store electronic cardholder data.
  • SAQ C - Condition # 1 is the merchant must be using a payment application system connected to the internet. Condition # 2 is that the merchant must not store any electronic cardholder data. This SAQ is not applicable to e-commerce merchants.
  • SAQ C-VT - Condition # 1 is the merchant must enter a single transaction at a time manually via keyboard into an Internet based virtual terminal (VT) that is hosted and provided by a validated PCI DSS Service Provider. Condition # 2 is the merchant must not store any electronic cardholder data. This SAQ is not applicable for e-commerce merchants as it is for card present transactions.
  • SAQ P2PE-HWE - This is my favorite one based on the length of the name! Condition # 1 is the merchant must be using only payment terminals that are managed by a PCI Security Standards Council listed P2PE (Point to Point Encryption) solution. Condition # 2 is the merchant must not store any electronic cardholder data. This SAQ is not applicable for e-commerce merchants as it is for card present transactions.
  • SAQ D - While this is listed as a single SAQ, there are 2 PCI SAQ Ds:
    • Merchants - This is what I refer to as the "catchall" PCI SAQ as the description on the PCI Security Standards Council Website is "All merchants not included in descriptions for the above SAQ types."
    • Service Providers - Almost all Service Providers must complete a PCI Report on Compliance (PCI ROC). There are some exceptions to this where the payment brands allow a Service Provider to complete a SAQ.

As you can see, the list of SAQs is long and can be overwhelming on which one you should complete. Here are a couple of guidelines you can use to help narrow down the appropriate SAQ to complete:

Card Not Present Transactions - SAQ A, SAQ A-EP, SAQ D

Card Present Transactions - SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ P2PW-HWE, and SAQ D

Service Providers - SAQ D

Here is the one tip that I want to give to merchants to help you select the appropriate PCI SAQ to complete: Ask your acquiring bank! If you aren't sure, ask. They are going to be the ones that can tell you without a doubt which SAQ is appropriate based on your environment so pick up the phone and call them. Eliminate the guesswork and confusion and get the answer from the source.

Feel free to contact us with any PCI compliance questions that you have or drop a question in the comments below!

You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think