The SAQ is a validation tool for eligible merchants and service providers who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQs provide flexibility based on the complexity of particular merchant environments (see chart below).
The PCI DSS Self-Assessment Questionnaire Guidelines and Instructions document provides more details on each SAQ type. The type of questionnaire your department will need depends upon how payment cards are processed. For more information on Self Assessment Questionnaires or to access a questionnaire in PDF format visit the CampusGuard SAQ Portal.
| SAQ | Description |
|---|---|
| A |
Card not present merchants (ecommerce or ma ii/telephone order) that have fully outsourced all card holder data functions to PCI DSS compliant third party service A providers, with no electronic storage, processing, or transmission of any card holder data on the merchant's systems or premises. Not applicable to face to face channels. |
| A-EP |
Ecommerce merchants who outsource a Il payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive card holder data but that can impact thesecurity of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels. |
| B |
Merchants using only: Imprint machines with no electronic cardholder data storage and/or Standalone dial out terminals with no electronic cardholder data storage. Not applicable to ecommerce channels. |
| B-IP |
Merchants using only standalone, PTS approved payment terminals with an IP connection to the payment processor, with no electronic card holder data storage. Not applicable to ecommerce channels. |
| C-VT |
Merchants who manually enter a single transaction at a time via a keyboard into an Internet based virtual terminal solution that is provided. and. hosted by a PCI DSS validated third party service provider. No electronic cardholder data storage. Not applicable to ecommerce channels. |
| C |
Merchants with payment application systems connected to the Internet, no electronic card holder data storage. Not applicable to ecommerce channels. |
| P2PE-HW |
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC listed P2PE solution, with no electronic card holder data storage. Not applicable to ecommerce channels. |
| D |
SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ. |
