Choosing the Right PCI SAQ for Your Business

Troy Fine, Senior Manager Cybersecurity Risk Management and Compliance
February 10, 2022

illustration of a sheet with questions and a pen.

Although data breaches in the U.S. have decreased over the last several years, credit card breaches still represent a significant risk to businesses, with the average data breach costing $3.86 million

To protect consumers’ credit card data, companies that process, store, or transmit credit card data must meet the PCI DSS (Payment Card Industry Data Security Standard). Depending on your specific validation requirements, you may only be required to submit a self-assessment questionnaire—also referred to as PCI SAQ. An SAQ can ask you anywhere from under 50 to over 300 questions to determine if you meet those requirements. 

To help you figure out which SAQ best fits your business, we break down each type below. 

SAQ Types

Companies that receive credit card data range from e-commerce retailers to mom-and-pop storefronts. The type of SAQ that will be needed will depend on the characteristics of how credit card data is processed.

SAQ TYPE REQUIREMENTS/CHARACTERISTICS
A
  • Card-not-present merchants (e-commerce or order-by-mail/telephone) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.
  • No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • Not applicable to face-to-face channels.
A-EP
  • E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction.
  • No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • Applicable only to e-commerce channels.
B
  • Merchants using only imprint machines with no electronic cardholder or standalone, dial-out terminals with no electronic cardholder data storage.
  • Not applicable to e-commerce channels.
B-IP
  • Merchants using only standalone, PIN Transaction Security approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. 
  • Not applicable to e-commerce channels.
C
  • Merchants with payment application systems connected to the internet, no electronic cardholder data storage. 
  • Not applicable to e-commerce channels.
C-VT
  • Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. 
  • No electronic cardholder data storage.
  • Not applicable to e-commerce channels.
P2PE
  • Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. 
  • Not applicable to e-commerce channels.
D
  • SAQ D for Merchants: Applies to any merchant that doesn’t fit into any other SAQ types. 
  • SAQ D for Service Providers: Applies to all service providers defined by a payment card brand as eligible to complete a SAQ. Also applies to third-party vendors providing services that impact the security of a merchant’s or service provider’s cardholder data environment.

Frequently Asked Questions

Here are a few frequently asked questions on PCI to help you determine if this framework applies to your business, find more information on their requirements and guidelines, and choose the right SAQ. 

Does PCI DSS Apply to My Business?

PCI DSS applies to two types of organizations—merchants and service providers.

Merchants are defined as any entity that accepts payment cards as payments for goods or services. Service providers are defined as entities directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. It also includes third-party service providers that control or could impact the security of cardholder data. 

In addition, if you are considered a third-party vendor to a merchant or service provider and your services impact their cardholder data environment, then your validation requirements should be documented in your contracts with those merchants and service providers. If you need help determining your validation requirements, reach out to your merchant bank or to the entity requesting validation to the PCI DSS. 

The goals of PCI are to ensure that organizations maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain information security policies. 

Where Can I Find More Information on PCI DSS? 

The PCI Security Standards Council (PCI SSC) manages the PCI DSS and each payment card brand (VISA, American Express, Mastercard, etc.) maintains its own separate compliance enforcement programs. 

Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing SAQs, and when to engage a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC).

To find this information, here are a few places on the PCI SSC website you can start with: 

How do I Choose the Right One?

Before deciding on which SAQ to use, you will need to determine if you are required to engage a QSA to perform an audit and complete a ROC. 

To determine if a ROC will be required:

  • Merchants and service providers should review the validation requirements specified by each payment brand. 
  • Merchants should inquire with their merchant bank. 
  • Vendors working with merchants and service providers should review their contracts to determine their validation requirements.

If a ROC is not required, then you will more than likely be required to complete an SAQ. 

To choose the right SAQ, the first step will be to determine if you are considered a merchant or a service provider as defined by the PCI DSS. 

If you are a merchant, you should review the different types of SAQs and consider the operational flow and processes by which you handle credit card transactions. 

If you are a service provider or third-party vendor, then you will be required to complete the SAQ-D for service providers.

If you’re ready to get started on PCI and ensure you’re processing and storing cardholder data securely, book a demo with our team. 

Subscribe & receive the latest content.

Subscribe & receive the latest content.

PUT COMPLIANCE ON AUTOPILOT

Get Started Today

Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report and ISO 27001 certification.

JOIN THE 1,000+ COMPANIES THAT TRUST DRATA
Trusted by the best: