A Guide to PCI DSS SAQ Types and Requirements

PCI DSS SAQ types are categorized based on the payment card industry's security requirements.

There are four types of SAQs, with each type having specific requirements and documentation needs.

SAQ-A is the most basic type, requiring minimal documentation, and is typically used by merchants with no electronic cardholder data storage.

SAQ-A is suitable for merchants with a simple payment processing setup and no complex payment systems.

SAQ-B is used by merchants who do not store sensitive authentication data, and requires more documentation than SAQ-A.

SAQ-B is typically used by merchants who use a payment processor to handle all payment card transactions.

SAQ-C is used by merchants who do store sensitive authentication data, and requires even more documentation than SAQ-B.

SAQ-D is the most comprehensive type, requiring detailed documentation and is typically used by merchants who have complex payment systems.

SAQ-D is used by merchants who have multiple payment processing systems, and need to meet the most stringent security requirements.

There are nine self-assessment questionnaires that are applicable to a range of PCI transaction workflows.

To determine which one you should complete, you need to consider a variety of criteria that range from how you process and protect cardholder data to the hardware you use to process your transactions.

The easiest way for a merchant to know which SAQ they should fill out is to ask their acquiring bank.

Acquiring banks are responsible for ensuring that you have filled out the right assessment questionnaires.

There are distinct SAQ types tailored to specific payment processing methods and scenarios.

We will look at each one in depth so that you can determine which works best for your business needs.

To choose the right self-assessment questionnaire, consider how you process and protect cardholder data, as well as the hardware you use to process transactions.

There are nine self-assessment questionnaires (SAQs) in total, each applicable to a range of PCI transaction workflows.

You should ask your acquiring bank, the bank or merchant processor that actually processes your transactions, which SAQ you should fill out.

They will be able to guide you in determining which SAQ is right for your business.

Each SAQ type is tailored to specific payment processing methods and scenarios, so it's essential to choose the one that best fits your business needs.

By choosing the correct SAQ, you'll be able to ensure you're meeting the necessary security standards and protecting your customers' sensitive information.

Your acquiring bank is responsible for ensuring that you have filled out the right assessment questionnaires, so don't hesitate to reach out to them for guidance.

There are 14 different types of PCI DSS SAQs, each designed for specific payment processing scenarios. SAQ A is the easiest, with just 22 questions, and is used by merchants who outsource all cardholder data functions to compliant third parties.

Merchants who process card-present and card-not-present transactions with standalone point-of-sale dial-up terminals that don't store credit card details use SAQ B, which has 41 questions.

SAQ B-IP merchants process card-present or card-not-present transactions using approved payment terminals that process transactions over the Internet, and have 82 questions.

SAQ C is used by merchants who process transactions purely through terminals, such as vending machines, and has 160 questions.

SAQ C-VT is for merchants who process card-not-present transactions using a virtual terminal solution provided by a PCI DSS-validated third-party service provider, with 79 questions.

SAQ P2PE-HW merchants use only hardware payment terminals that are included in and managed through a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

Here's a summary of the SAQ types:

SAQ D is the most comprehensive questionnaire, with 328 questions, and is used by merchants who don't meet the criteria for other SAQs, such as those who handle key PCI DSS scope requirements in their environment or who electronically store cardholder data.

E-commerce and online payments are a critical aspect of many businesses, and PCI DSS SAQ types play a crucial role in ensuring the security of these transactions. SAQ A is the questionnaire for e-commerce merchants who process payments through a third-party payment processor, and it's available for merchants who have delegated all cardholder data functions to an external entity.

For e-commerce merchants who have outsourced all payment processing to compliant third parties, SAQ A-EP is the applicable SAQ type. This SAQ variant is exclusive to e-commerce channels and requires the merchant's website to redirect to or i-frame a PCI DSS-compliant service provider.

Here are the key differences between SAQ A and SAQ A-EP:

Card-Not-Present Transactions are a common occurrence in e-commerce, and understanding the SAQ requirements is essential for compliance.

SAQ A is the questionnaire used by merchants who outsource payment transactions to a third-party vendor like Stripe, using an iFrame or SDK. This merchant isn't handling any credit card data on their own.

SAQ A merchants process card-not-present transactions, whether using the internet, by phone, or even by mail order. Such merchants have fully outsourced their payments to a third-party vendor.

SAQ A is an easy self-assessment questionnaire with just 22 questions. This makes it a more manageable option for merchants who are new to PCI DSS compliance.

Here's a breakdown of the SAQ types applicable to e-commerce channels:

These SAQ types ensure that merchants who outsource their payment processing are still held accountable for maintaining PCI DSS compliance.

If you're an e-commerce merchant who only processes transactions through terminals, you're in luck - SAQ C is the way to go. This self-assessment questionnaire has 160 questions, making it a challenging one, but it's a good fit for your business model.

As a merchant who only uses terminals to process transactions, you don't have to worry about storing sensitive payment card details. This is a big relief, and it's a key factor in why SAQ C is the right choice for you.

Here are some key facts about SAQ C:

You might be wondering what kind of businesses qualify as SAQ C merchants. The answer is any business that processes transactions solely through terminals, such as vending machines or kiosks.

If you're a merchant or service provider who doesn't fit into any of the other categories, you'll need to complete an SAQ D. This questionnaire is specifically designed for those who store card data electronically.

SAQ D is the most comprehensive questionnaire, with 329 questions for service providers and merchants who don't fall into other categories. It's also the most difficult self-assessment questionnaire, with a long list of questions to answer.

To give you a better idea of what SAQ D entails, here are some key facts:

This means that if you're a merchant or service provider who stores card data electronically, you'll need to complete an SAQ D and answer all 329 questions.

Compliance and documentation are crucial aspects of PCI DSS SAQ types. A company's PCI Merchant level is defined by the individual stakeholder whose cards it primarily processes.

Merchant Level 1 requires merchants who process over six million annual transactions across all sales channels to submit ROC and AOC forms annually. This is a significant requirement, as it affects the type of documentation needed.

Merchant Level 2, on the other hand, requires merchants who process one to six million annual transactions across all channels to submit SAQ and AOC forms annually. This is a slightly less stringent requirement compared to Level 1.

Merchant Level 3 requires merchants who process 20 thousand to one million e-commerce transactions annually to submit SAQ and AOC forms annually. This level is specific to e-commerce transactions.

Merchant Level 4 requires merchants who process less than 20 thousand annual e-commerce transactions or one million transactions across all channels to submit SAQ forms annually. This is the least stringent requirement among the four levels.

Regardless of the merchant level, documentation must account for all controls. This is a critical aspect of PCI DSS compliance, as it ensures that all necessary security measures are in place.

PCI DSS SAQ types can be overwhelming, but understanding the basics can make a big difference.

To demonstrate compliance with PCI DSS standards, merchants and Service Providers must complete a self-assessment questionnaire, or SAQ.

Merchants and Service Providers must determine their business type, payment processing methods, and the appropriate questionnaire for their situation.

Tools like Thoropass can be used to automate and simplify the process of submitting documentation and ensuring ongoing compliance with PCI DSS requirements.

Here are some key things to keep in mind when determining your SAQ type: