Using the Self-Assessment Questionnaire (SAQ)
Future merchants can utilize the self-validation tool, "SAQ" to assess the type of validation required for their business process. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the PCICC must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant's or service provider's business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level.
Self-Assessment Questionnaire
SAQ | Description |
---|---|
A | Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers. Not applicable to face-to-face channels. |
A-EP | E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that does not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels. |
B | Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Not applicable to e-commerce channels. |
B-IP | Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
C | Merchants with segmented payment application systems connected to the Internet, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
C-VT | Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
D | All merchants not included in the descriptions for other SAQ types. |
P2PE | Merchants who have implemented a validated Point-to-Point Encryption Solution that is listed on the PCI SSC website, with no electronic cardholder data storage. Not applicable to e-commerce channels. |