Have you been asked by your bank to complete a Self-Assessment Questionnaire (SAQ) to verify your compliance with the PCI DSS? There are many different versions of the SAQ available, and it can be difficult to choose the version that is right for your organization. The full version is the SAQ-D, and it includes all of the requirements of the PCI DSS. The other versions of the SAQ are designed to include only the requirements that should apply to merchants that handle cardholder data in specific but common scenarios. To use one of the specialized SAQ versions, a merchant must meet the qualifications that correspond to that specific version of the SAQ. The following descriptions will help you to identify which version is right for you:
SAQ A: This version is for card-not-present merchants (performing only e-commerce, mail-order, or telephone-order transactions) that have fully outsourced all cardholder data functions to PCI DSS compliant service providers. In order to qualify for this version of the SAQ, the merchant should have no responsibility for maintaining any systems that handle cardholder data. For example, if you use a third-party service provider for collecting payments, and the service provider hosts the forms used to collect the cardholder data (i.e. iframe or redirect is used to direct your website visitors to the payment service provider’s web forms) then you will likely qualify to fill out an SAQ-A.
SAQ A-EP: This version of the SAQ applies only to e-commerce merchants and it has very similar qualifications to the SAQ A. However, there is one key difference; for this version, the merchant maintains the web form used to collect cardholder data (and/or manages the server it is hosted on). To qualify for this version of the SAQ, the cardholder data must be sent directly from the customer’s browser to a PCI DSS compliant payment service provider, and the merchant’s systems should never receive or transmit the cardholder data.
SAQ B: Merchants who receive only in-person (card-present) transactions and use no network-connected devices for handling cardholder data. Imprint machines and/or dial-out terminals with no electronic storage of cardholder data are used instead. If all your transactions use point-of-sale devices with dial-up connections to the payment processor then this is probably the SAQ for you. If you perform any e-commerce then you do not qualify for this SAQ.
SAQ B-IP: The qualifications for this SAQ are very similar to the qualifications of SAQ B, except this version is for merchants who receive only in-person (card-present) transactions using only PTS-approved payment terminals with IP connectivity to the payment processor. Once again, if you perform e-commerce then you do not qualify for this SAQ.
SAQ C-VT: If your payment processor provides you with an IP-based “Virtual Terminal” that handles a single payment at a time and this is your only method of processing payments, this is probably the SAQ version for you. E-commerce merchants do not qualify to use this SAQ version.
SAQ C: If you have a payment application that is not e-commerce but is connected via the internet, then this is probably the version of SAQ that is right for you.
SAQ P2PE-HW: This version of the SAQ is for merchants that use only Point-To-Point Encryption (P2PE) solutions for processing only card-present transactions. Keep in mind that the hardware, firmware, and software versions must all match up to an approved solution listed on the PCI Council’s P2PE Listings in order to qualify for this version of the SAQ.
SAQ D: As mentioned earlier, the SAQ D includes all the requirements of the PCI DSS. Service providers, Merchants performing any form of cardholder data storage, and merchants that don’t meet any of the descriptions above are required to use the SAQ D. Keep in mind that the SAQ D for service providers is slightly different than the version for merchants, so it is important that you use the correct version for your organization.
If you are still unsure which version of the SAQ you should be using, your merchant bank should be able to confirm which version they are expecting you to complete based on your established payment processes.