The PCI Data Security Standard Self-Assessment Questionnaire (PCI SAQ) is a validation tool designed for merchants and service providers that are permitted to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI SAQ helps service providers and payment processors better protect cardholder data by completing the self-assessment which can prevent data breaches before they happen. Merchants are encouraged to contact their bank or payment brand for eligibility requirements to identify the appropriate SAQ level for their organization.
There are eight SAQ validation types in PCI DSS v3.2.1:
|A||Card not present (Does not apply to face to face merchants)|
|A-EP||E-commerce – all payment processing outsourced to a PCI DSS validated processor|
|B||Stand-alone dial-up (no electronic data storage) or imprint machines|
|B-IP||PTS-approved payment terminals with IP connection to payment processor|
|C||Payment application systems connected to the internet (no electronic storage)|
|C-VT||Internet terminal, single transactions, hosted by PCI DSS validated third party|
|P2PE-HW||PCI SSC P2PE solution, no electronic cardholder data storage|
|D||All other merchants and service providers|
SAQ Validation Type A (SAQ A)
Merchants that have fully outsourced all cardholder data functions to a PCI DSS validated third-party service provider and do not electronically store, process, or transmit cardholder data from the merchant. SAQ A only applies to card not present merchants and is not available for face to face channels.
SAQ Validation Type A-EP (SAQ A-EP)
E-commerce merchant that has outsourced all payment processing to a PCI compliant processor and doesn’t directly receive cardholder data on their website. SAQ A-EP eligible merchants forward payment entry to a third party site that is PCI DSS validated and is only applicable to e-commerce.
SAQ Validation Type B (SAQ B)
Merchants that only use imprint machines or standalone dial-out terminals for credit cards and do not store cardholder data qualify for SAQ B, but they cannot be e-commerce. Imprint machines take a physical credit card and multi-page receipts with ink between the pages to capture an image of the card. This process is made possible by the raised numbers and letters on the credit card.
SAQ Validation Type B-IP (SAQ B-IP)
In order to qualify for SAQ B-IP, the merchant must use a PTS approved payment terminal with an IP connection. The terminal cannot store cardholder data and is only applicable to non-e-commerce merchants. An example of a PTS approved terminal would be a Verifone vx520.
SAQ Validation Type C (SAQ C)
SAQ C is applicable to merchants that have a payment application system connected to the internet that doesn’t store cardholder data. PCI Security Standards Council (SSC) maintains a list of approved and validated payment applications that meet specific guidelines for secure credit card processing.
SAQ Validation Type C-VT (SAQ C-VT)
Merchants that qualify for SAQ C-VT are ones that manually key in single transactions via a keyboard that connects to an internet-based virtual terminal solution. The solution needs to be provided by a PCI DSS validated service provider and no electronic cardholder data may be stored. SAQ C-VT doesn’t apply if the merchant is e-commerce.
SAQ Validation Type P2PE-HW (SAQ P2PE-HW)
One of the more common merchant solutions that can self-assess via the questionnaire are merchants that only use a hardware payment terminal. The terminal must be managed and validated by a PCI SSC listed point-to-point encryption (P2PE) solution provider and cannot store cardholder data. Since it is a hardware on-premises (“on prem”) solution, it would not apply to e-commerce.
SAQ Validation Type D (SAQ D)
Merchants and service providers that don’t fit into any of the pre-defined SAQs A thru P2PE-HW and are still eligible to complete an SAQ fall under SAQ D.
PCI SAQ Summary
The primary goal of completing the PCI SAQ is to obtain an Attestation of Compliance (AoC). While the attestation doesn’t grant the merchant PCI compliance, it proves that cardholder data is not at risk via electronic data sources or retention. Many of the SAQ options rely on a validated PCI DSS service provider that processes the transaction and, in turn, may store the information for various purposes. In a sense, the merchants that qualify for self-assessment are outsourcing the risk of accepting, transmitting, and processing payment cards to a third party service provider.