A clipboard with a PCI DSS SAQ and green check marks.
Josh Perri
Listen to: "PCI DSS SAQ Types: Which Type Is Right for Your Business?"

Choosing the Right PCI-DSS Self-Assessment Questionnaire

All merchants and service providers who either store, process, or transmit payment card information are required to be Compliant with the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance aside, protecting your customers’ payment card information is imperative for customer retention and brand protection.

But understanding the requirement to comply with PCI is only part of the battle. What do you need to do next? The answer to that question depends on several factors. The volume of payment cards you store, process, or transmit. Card brands have set volume thresholds that may allow you to self-assess. If your organization is above the volume thresholds, you may not self-assess and must have a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).

If you are under the SAQ transaction volume threshold, you must then select the SAQ that is appropriate to your organization.

PCI DSS SAQ Types

How does your organization store, process, or transmit payment card data? The PCI Council has created nine self-assessment questionnaires (SAQs) that are tailored to payment card transaction channels. Selecting the appropriate PCI Self-Assessment Questionnaire is an important step in complying. The PCI Council provides guidance on selecting the appropriate SAQ, however even with the guidance provided, many organizations struggle with selecting the correct SAQ.

PCI DSS SAQ Type Eligibility Criteria No. of Questions
SAQ A For e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. 24
SAQ A-EP For e-commerce-only merchants that rely on third-party service providers to handle card information and which have a website that doesn’t process credit card data, but could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. 192
SAQ B For merchants which utilize imprint machines and/or standalone, dial-out terminals, and do not transmit, process, or store electronic cardholder data. This is not for e-commerce activities. 41
SAQ B-IP For merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data. This is not for e-commerce activities. 87
SAQ C-VT For merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities. 161
SAQ C For any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage. 84
SAQ P2PE For merchants which utilize approved point-to-point encryption (P2PE) devices, with no electronic cardholder data storage. 34
SAQ D for Merchants For all SAQ-eligible merchants which don’t meet the criteria for other types. For merchants which do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically. 328
SAQ D for Service Providers For service providers deemed eligible to complete an SAQ. 370

Related article: How to Choose the Right PCI-Compliant Approved Scanning Vendor.

Which PCI DSS SAQ Is Right for Your Organization?

If you are ready to start delving into the PCI DSS compliance process, but feel the need for some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are ready to assist you in identifying the SAQ best suited to your company.

Call us today at 215-675-1400 or request a quote to start the conversation.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

1
Request a quote using the form below
2
Allow us to create a customized plan
3
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending

Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal