PCI SAQ: Types, Requirements, & Applicability Worksheet

If you are a merchant or service provider who manages, transmits, stores, or accesses card data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS).

To comply with PCI DSS policies, your job does not end at the requirement checklist – PCI requires you to ensure you are sufficiently doing what you claim to. This is done using a PCI SAQ. 

What is PCI SAQ?

PCI DSS Self-Assessment Questionnaires (PCI SAQ) is a set of tools that help merchants or service providers evaluate their PCI DSS compliance status and report the same. 

Each PCI self-assessment questionnaire consists of questions pertaining to PCI requirements and an attestation of compliance. 

PCI SAQ types

There are nine types of SAQ for merchants. Each is based on how you process and handle payment cards. 

SAQ A

Applicable for merchants who have outsourced all cardholder data functions to third-party service providers and lack the facility to electronically store, process, and transmit cardholder data within their systems or premises.  

It is not applicable for face-to-face channels. 

SAQ A-EP

SAQ A-EP is for E-Commerce merchants who:

• Outsourced payment processing functions to validate third parties
• Owns a website that does not receive cardholder data but may impact security
• Lacks the facility to store, process, or transmit cardholder data on merchant systems or premises. 
• It is applicable only for e-commerce channels.

SAQ B

Only for merchants who use :

• Imprint machines without that do not facilitate the storage of cardholder data.
• Standalone dial-out terminals that doesn’t facilitate storage of electronic cardholder data
• This one is not applicable for e-commerce channels. 

SAQ B-IP

Only for merchants who use a standalone, PTS approved payment terminal with IP connection to a payment processor and without electronic cardholder data storage. 

SAQ B-IP is not applicable to e-commerce channels.

SAQ C-VT

SAQ C-VT is applicable for merchants who manually process one transaction at a time using a keyboard to an internet-based virtual terminal hosted by a PCI DSS validated third-party service provider. Does not store electronic cardholder data. 

It is not applicable to e-commerce channels.

SAQ C

SAQ C is for merchants who use a payment application system connected to the internet. Does not store electronic cardholder data.

It is not applicable to e-commerce channels.

SAQ P2PE-HW

SAQ P2PE-HW is for merchants who only use hardware terminals to process payment. These terminals are included and managed through a validated and PCI SSC-listed P2PE solution that does not store electronic cardholder data. 

It is not applicable to e-commerce channels.

SAQ D

For merchants – Applicable when none of the above SAQ descriptions apply. 

For service providers – If the payment brand defined the service provider eligible to complete an SAQ. 

Also check out: Guide on PCI DSS compliance

PCI SAQ questions and VAPT requirement

Refer to the table below for more details on the PCI SAQ types. 

SAQ Type	Total Questions	Vulnerability Scan Requirement	Penetration Testing Requirement
SAQ A	22	No	No
SAQ A-EP	191	Yes	Yes
SAQ B	41	No	No
SAQ B-IP	82	Yes	No
SAQ C-VT	79	No	No
SAQ C	160	Yes	No
SAQ P2PE-HW	33	No	No
SAQ D	329	Yes	Yes

Which SAQ is right for my business?

The correct SAQ depends on the way you store, process, and transmit cardholder data. It also depends on the number of transactions your business processes. For example, if you process more than six million transactions, you must get a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).

 It is advised to contact your merchant bank or payment brand to identify the appropriate SAQ. Review the types of SAQ and go through the set of questions or checklist in each.

You can download the SAQ eligibility checklist to know which SAQ type is right for you. 

How to complete PCI SAQ

There are five steps to complete your PCI DSS self assessment: 

1. Identify the appropriate control as applicable for your environment. 
   
2. Ensure that your environment is adequately scoped and meets the eligibility for the chosen SAQ. 
   
3. Assess your environment to the applicable PCI DSS compliance requirement. 
   
4. Complete all three sections of the document. 
   
5. Submit your SAQ, Attestation of Compliance (AOC), and other necessary documents to the payment brand or body who requested it. 
   

The SAQ has four options for each question. You can select only one response for each. Here are the responses and when you can use it. 

• Yes: You have performed the required tests and met other stated requirements. 
  
• Yes with CCW: You have performed the tests and met the requirements using PCI compensating controls. Additionally, you must complete the Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
  
• No: Implies that you have met few or none of the requirements, or in the process of implementing, or need to test before to know if those will be in place. 
  
• N/A: Not Applicable implies that the requirement is not applicable to your organization. You must provide a supporting explanation in Appendix C of SAQ. 

There are five steps to complete your PCI DSS self assessment: 

1. Identify the appropriate control as applicable for your environment. 
   
2. Ensure that your environment is adequately scoped and meets the eligibility for the chosen SAQ. 
   
3. Assess your environment to the applicable PCI DSS compliance requirement. 
   
4. Complete all three sections of the document. 
   
5. Submit your SAQ, Attestation of Compliance (AOC), and other necessary documents to the payment brand or body that requested it. 
   
   

The easy way to PCI DSS 

Much like the 12 labors of Hercules, the 12 requirements of PCI DSS are hard but not impossible to achieve, at least when done the right way – the Sprinto way. 

Be it scoping or network segmentation, when you don’t execute properly, the impact will be felt throughout your environment. 

Sprinto takes care of every requirement applicable to your organization in the PCI checklist. 

Sprinto automates it all in an effortless way – to take away the burden of planning, designing, scoping, and monitoring. 

Talk to us today to make your PCI DSS journey a seamless and breezy experience.

FAQs

What is PCI SAQ B?

PCI SAQ B is for merchants who process cardholder data using slip machines or standalone dial up terminals. These merchants can process traction with or without a card but not store card data in their system.

Who is PCI SAQ for?

PCI SAQ is for merchants or service providers who process less than six million transactions annually. 

What are the types of PCI SAQ?

There are nine types of PCI SAQ. These are SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ C-VT, SAQ C, SAQ P2PE-HW, and SAQ D.