PCI SAQ: Types, Requirements, & Applicability Worksheet
Anwita
Oct 10, 2024If you are a merchant or service provider who manages, transmits, stores, or accesses card data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS).
To comply with PCI DSS policies, your job does not end at the requirement checklist – PCI requires you to ensure you are sufficiently doing what you claim to. This is done using a PCI SAQ.
TLDR
A PCI SAQ (Self-Assessment Questionnaire) is a tool used by merchants to assess their PCI DSS compliance. It applies to businesses that process card payments but don’t require a full PCI audit.
The correct SAQ depends on how your business handles cardholder data, such as SAQ A for fully outsourced processing or SAQ D for in-house storage.
Complete a PCI SAQ by answering the provided questions based on your business’s security practices, ensuring honest and thorough responses.
What is PCI SAQ?
PCI DSS Self-Assessment Questionnaires (PCI SAQ) is a worksheet for merchants or service providers to attest their PCI DSS compliance status and report the same. This validation tool is for merchants and service providers who are not required by payment brands to submit PCI DSS Report on Compliance (ROC).
SAQ-eligible merchants are legally permitted to conduct self-assessments to validate their compliance status and meet the eligibility criteria for the applicable SAQ. Each PCI self-assessment questionnaire pertains to PCI requirements and attestation of compliance.
PCI SAQ types
There are ten types of SAQ for merchants. Each is based on how you process and handle payment cards.
SAQ A
Applicable for merchants who have outsourced all cardholder data functions to third-party service providers and lack the facility to electronically store, process, and transmit cardholder data within their systems or premises.
It is not applicable for face-to-face channels or service providers.
To qualify as a SAQ A merchant, you must meet the following eligibility criteria:
- Accept only card not present transactions.
- Retain account data only on paper and not electronic format.
It is not applicable for face-to-face channels.
SAQ B-IP
SAQ B-IP applies to merchants who use a standalone, PIN Transaction Security (PTS) point of interaction (POI) payment terminal with IP connection to a payment processor and without electronic cardholder data storage facilities. The PTS POI systems should not be connected to another system with the merchant’s environment or rely on another device to connect to the payment processor.
Merchants using PTS POI devices classified as Secure Card Readers (SCR) and Secure Card Readers for PIN (SCRPs) are exempt from this.
SAQ B-IP is not applicable to e-commerce channels.
Get PCI DSS ready in weeks. Talk to our experts.
SAQ C-VT
SAQ C-VT is applicable for merchants who manually process one transaction at a time using a keyboard to an internet-based virtual terminal hosted by a PCI DSS validated third-party service provider. It should not store electronic cardholder data.
SAQ C-VT merchants should confirm that they:
- Process payment only using a virtual payment terminal that operates through a web browser
- Use a virtual payment gateway hosted a PCI compliant third party service provider
- Access the virtual payment terminal via a single device isolated from other systems and not connected to to
- Use a computing device unattached to hardware devices that can capture, store, or process data
- Do not receive, transmit, or store account data via electronic channels and use only paper to retain such documents
SAQ C-VT is not applicable to e-commerce channels.
SAQ C
SAQ C is for merchants with payment application systems connected to the internet but does not store electronic cardholder data. Merchants in this category process data using point of sale (POS) systems or payment gateways connected to the internet.
SAQ C merchants are eligible for this payment channel if they:
- Have a payment application system and internet connection on the same systema and local area network (LAN). This payment system should not be connected to another system within the data processing environment.
- Ensure that the physical location of the POS environment functions independently and is not connected to any premises or locations.
- Ensure that no data is stored in electronic format
An SAQ C does not apply to e-commerce channels.
SAQ P2PE-HW
SAQ P2PE (Point-to-Point Encryption) is for merchants who only use hardware payment terminals to process transactions. These terminals are included and managed through a validated and PCI SSC-listed P2PE solution that does not store electronic cardholder data.
Merchants who fall in this payment channel must process all transactions via a validated PCI listed P2PE solution and implement all controls in the P2PE instruction manual (PIM). They cannot receive, store, process, and transmit account data electronically.
An SAQ P2PE-HW is not applicable to e-commerce channels.
SAQ SPoC
SAQ SPoC (Software-based PIN Entry on COTS) was introduced for PCI DSS v4.0. It applies to merchants using commercial off the mobile devices like smartphones or tablets using a secure card reader listed under PCI SSC’s validated SPoC solutions. Additionally, the card should not have access to clear text account data or electronic account data storage.
To qualify for the SPoC payment channel, merchants must:
- Process payments using card present payments channels only
- Implement controls listed in the SPoC user guide provided by the solution provider
- Store and process account data using only a Secure Card Reader Pin (SCRP) that is SPoC solution approved and PCI SSC listed
SPoC does not apply to unattended card-present, mail-order/telephone order (MOTO), or e-commerce channels. Service providers are also exempt.
SAQ D
For merchants – Applicable when none of the above SAQ descriptions apply.
For service providers – If the payment brand defined the service provider eligible to complete an SAQ.
Also check out: Guide on PCI DSS compliance
PCI SAQ questions and VAPT requirement
Refer to the table below for more details on the PCI SAQ types.
SAQ Type | Total Questions | Vulnerability Scan Requirement | Penetration Testing Requirement |
SAQ A | 22 | No | No |
SAQ A-EP | 191 | Yes | Yes |
SAQ B | 41 | No | No |
SAQ B-IP | 82 | Yes | No |
SAQ C-VT | 79 | No | No |
SAQ C | 160 | Yes | No |
SAQ P2PE-HW | 33 | No | No |
SAQ D | 329 | Yes | Yes |
Which SAQ is right for my business?
The correct SAQ depends on the way you store, process, and transmit cardholder data. It also depends on the number of transactions your business processes. For example, if you process more than six million transactions, you must get a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).
Here’s a table format that aligns with the PCI DSS Self-Assessment Questionnaire (SAQ) requirements based on account data and merchant type. The table below helps identify which SAQ version is applicable to each type of merchant based on how they handle cardholder data.
Applicable PCI DSS SAQ | Merchant Type | Account Data Handling |
SAQ A | Card-not-present merchants (e-commerce, mail/telephone order) | Merchants who accept card-not-present transactions, but do not store, process, or transmit cardholder data on their systems or premises. |
SAQ A-EP | Card-not-present merchants (e-commerce, mail/telephone order) | Merchants that accept card-not-present transactions, store or process cardholder data electronically but only via their own systems. |
SAQ B-IP | Merchants with point-of-sale systems | Merchants using standalone payment terminals connected via the internet that do not store cardholder data after authorization. |
SAQ B | Merchants with dial-out point-of-sale terminals | Merchants using standalone, dial-out point-of-sale devices that connect directly to the payment processor via a phone line. |
SAQ C-VT | Merchants using virtual terminals | Merchants manually entering transaction data using a virtual terminal solution provided by a third-party service provider. |
SAQ C | Merchants with integrated payment systems | Merchants using a payment system integrated into their accounting or business management software that stores or processes cardholder data. |
SAQ D (for Merchants) | Merchants that store cardholder data electronically | Merchants that store, process, or transmit cardholder data electronically using their own systems. |
SAQ D (for Service Providers) | Service providers | Organizations that store, process, or transmit cardholder data on behalf of merchants or other organizations. |
You can download the SAQ eligibility checklist to know which SAQ type is right for you.
It is advised to contact your merchant bank or payment brand to identify the appropriate SAQ. Review the types of SAQ and go through the set of questions or checklist in each.
You can download the SAQ eligibility checklist to know which SAQ type is right for you.
Download your PCI DSS Explanation of Non-Applicability Worksheet
How to complete PCI SAQ
There are five steps to complete your PCI DSS self assessment:
- Identify the appropriate control as applicable for your environment.
- Ensure that your environment is adequately scoped and meets the eligibility for the chosen SAQ.
- Assess your environment to the applicable PCI DSS certification requirement.
- Complete all three sections of the document.
- Submit your SAQ, Attestation of Compliance (AOC), and other necessary documents to the payment brand or body who requested it.
The SAQ has four options for each question. You can select only one response for each. Here are the responses and when you can use it.
- Yes: You have performed the required tests and met other stated requirements.
- Yes with CCW: You have performed the tests and met the requirements using PCI compensating controls. Additionally, you must complete the Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
- No: Implies that you have met few or none of the requirements, or in the process of implementing, or need to test before to know if those will be in place.
- N/A: Not Applicable implies that the requirement is not applicable to your organization. You must provide a supporting explanation in Appendix C of SAQ.
There are five steps to complete your PCI DSS self assessment:
- Identify the appropriate control as applicable for your environment.
- Ensure that your environment is adequately scoped and meets the eligibility for the chosen SAQ.
- Assess your environment to the applicable PCI DSS compliance requirement.
- Complete all three sections of the document.
- Submit your SAQ, Attestation of Compliance (AOC), and other necessary documents to the payment brand or body that requested it.
The easy way to PCI DSS
Much like the 12 labors of Hercules, the 12 requirements of PCI DSS are hard but not impossible to achieve, at least when done the right way – the Sprinto way.
Be it scoping or network segmentation, when you don’t execute properly, the impact will be felt throughout your environment.
Sprinto takes care of every requirement applicable to your organization in the PCI checklist.
Sprinto automates it all in an effortless way – to take away the burden of planning, designing, scoping, and monitoring.
Talk to us today to make your PCI DSS journey a seamless and breezy experience.
FAQs
What is PCI SAQ B?
PCI SAQ B is for merchants who process cardholder data using slip machines or standalone dial up terminals. These merchants can process traction with or without a card but not store card data in their system.
Who is PCI SAQ for?
PCI SAQ is for merchants or service providers who process less than six million transactions annually.
What are the types of PCI SAQ?
There are nine types of PCI SAQ. These are SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ C-VT, SAQ C, SAQ P2PE-HW, and SAQ D.
What’s new in PCI DSS v4.0 SAQs?
The PCI DSS v4.0 SAQs have been revised to offer clearer guidance, updated requirements, and enhanced resources for completing the self-assessment. Changes reflect PCI DSS v4.0 updates, with SAQ requirements now mirroring the standard’s wording and aligning reporting responses with the PCI DSS v4.0 Report on Compliance Template.
Why do some PCI DSS requirements in SAQs have multiple response checkboxes?
Some PCI DSS requirements in SAQs have multiple checkboxes for each bullet point to ensure thorough testing of each part, especially for newer or more complex requirements. This approach highlights that each bullet needs separate consideration and a specific testing method.
What does SAQ stand for? How long should an SAQ be?
In PCI DSS, SAQ stands for self assessment questionnaire. The length of a SAQ varies based on the type of payment channel.