A Guide to PCI DSS 4.0 SAQ Types for Compliance and Security

Understanding PCI DSS 4.0 SAQ types is a crucial step in ensuring your business meets the necessary security standards. There are four SAQ types, each with its own specific requirements and implications.

For SAQ A, merchants with no electronic cardholder data (ECD) stored on their systems can self-attest to compliance, making it a straightforward process. This type is ideal for merchants who don't store sensitive data.

SAQ B, on the other hand, is for merchants who have a limited amount of ECD stored on their systems, but only for a short period of time, such as during a payment processing session. This type requires more documentation than SAQ A, but still allows for self-attestation.

To determine your business type, you need to ascertain your payment processing methods in line with the guidelines provided by PCI DSS. Merchants and service providers must both adhere to PCI DSS standards.

Merchants are primarily engaged in selling goods or services and directly handle cardholder data. This is a key distinction from service providers.

Service providers are external entities that provide services related to payment card transactions and may also handle cardholder data as part of their service.

There are 9 types of SAQs for PCI DSS v4.0, including the new SPoC. Each SAQ is tailored to specific payment processing methods and scenarios.

SAQ A-EP is for e-commerce merchants that outsource all payment processing to PCI DSS validated third-party service providers, except for the payment page. SAQ B is for brick and mortar or mail/telephone order merchants that use regular terminals connecting only via dial-up phone lines. SAQ B-IP is for merchants who use regular terminals connecting via IP, not dial-up phone lines.

SAQ D is for service providers that were defined by a payment brand to be eligible to complete a SAQ, and for merchants who store card data electronically. SAQ C is for merchants who use internet-connected payment application systems, but do not store electronic cardholder data.

Here is a summary of the SAQ types and their eligibility criteria:

There are 9 types of SAQs for PCI DSS v4.0, including the new SPoC. Merchants and service providers need to determine their business type and payment processing methods to choose the right SAQ.

For e-commerce merchants, SAQ A-EP is the applicable type. This SAQ is for merchants that outsource all payment processing to PCI DSS validated third-party service providers, except for the payment page.

SAQ B is for brick and mortar or mail/telephone order merchants, and is not applicable for e-commerce channels. Merchants that qualify for this SAQ use regular terminals that connect only via dial-up phone lines.

SAQ B-IP is for merchants who use regular terminals that connect via IP, not dial-up phone lines. This means they have Ethernet cables that connect to a router or modem, which in turn connects to an internal network or internet service provider.

SAQ D is for merchants and service providers who store card data electronically. This SAQ has 329 questions and requires a vulnerability scan and penetration testing.

Here is a summary of the SAQ types for PCI DSS v4.0:

SAQ C is for merchants that have payment application systems connected to the internet and have no electronic cardholder data storage. SAQ C-VT is for merchants that manually enter each single transaction by keyboard into an internet-based virtual terminal solution.

SAQ D is the most comprehensive SAQ, with 329 questions, and is required for merchants and service providers who store card data electronically.

P2PE-HW is a specific type of SAQ that's designed for merchants who use only hardware payment terminals that are part of a validated, PCI SSC-listed P2PE solution.

To qualify for this SAQ, you must not store any electronic cardholder data. This is a key requirement for merchants who want to use the P2PE-HW SAQ.

Here are the key facts about the P2PE-HW SAQ:

The P2PE-HW SAQ is a relatively short questionnaire, with only 33 questions to answer. This makes it a more manageable process for merchants who are already using P2PE hardware devices.

C-VT for MOTO on VT is a type of SAQ designed for merchants who process card-not-present transactions using a virtual terminal solution provided by a PCI DSS-validated third-party service provider.

This type of SAQ applies to businesses that do not store, process, or transmit any cardholder data on their systems or premises but rely entirely on a third party to handle these functions.

The virtual terminal solution is web-browser-based access to an acquirer, processor, or third-party service provider website to manually enter payment card data for a single transaction at a time (no swipe device).

There are 79 questions in the SAQ C-VT, and it does not involve a vulnerability scan or penetration testing.

Here are some key requirements for merchants using SAQ C-VT for MOTO on VT:

Service providers have it easy - they only need to submit SAQ D – Service Provider.

Merchants, on the other hand, have nine SAQ types to choose from, making the selection process more challenging.

To determine which SAQ is right for your business, consider how you process payments and manage cardholder data.

Working with a Qualified Security Advisor (QSA) can help simplify the process of selecting and completing an SAQ.

Here are the key factors to consider:

Understanding the nuances of PCI DSS v4.0 begins with a deep dive into the “PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes.”

This resource, available in the PCI SSC Document Library, offers a concise overview and descriptions of the disparities between v3.2.1 and v4.0.

Understanding new requirements can be a daunting task, especially with the changes in PCI DSS v4.0. The PCI SSC Document Library is a great resource to start with, offering a concise overview of the changes between v3.2.1 and v4.0.

The "PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes" provides a clear description of the disparities between the two versions. This summary includes a "Summary of New Requirements" table that catalogs the new requirements, their relevance, and effective dates.

To get started, you should take a deep dive into this resource and absorb the v4.0 requirements.

Choosing the right PCI DSS option can be overwhelming, especially with the various self-assessment questionnaires (SAQs) and levels to consider.

If you're a service provider, selecting the right SAQ is straightforward – you'll need to submit a SAQ D – Service Provider.

To become PCI DSS compliant, you'll need to determine which standards to meet first and assess your existing program to see if your data protection is enough.

You'll need to choose a SAQ type based on how you process payments and manage cardholder data, as well as whether you're a merchant or service provider.

If you're a merchant, you'll need to consider how you handle cardholder data – if you accept account data on your website, by phone, or electronically store cardholder account data, you'll need to submit a SAQ D – Merchant.

Here's a quick reference guide to help you choose the right SAQ type:

Once you've chosen the right SAQ type, you'll need to understand the new requirements for PCI DSS v4.0 – you can find a summary of the changes in the PCI SSC Document Library, which includes a "Summary of New Requirements" table.

Understanding the nuances of PCI DSS v4.0 requires a deep dive into the "PCI DSS v3.2.1 to PCI DSS v4.0 Summary of Changes" resource.