A "SAQ" of "Self Assessment Questionnaire" is the questionnaire required by the payment associations of Visa®, MasterCard®, Discover® Network and American Express® which assist merchants in becoming compliance with the PCI DSS. According to the Associations, all merchants and service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below and described in more detail in the following paragraphs.
You don't need to use the table to figure out which SAQ to use. Our SAQ Wizard makes it easy based on a few "Yes" and "No" questions.
SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises.
Merchants in Validation Type 1 do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises, and must validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that:
- Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions
- Your company does not store, process, or transmit any cardholder data on your premises, but relies entirely on a third party to handle these functions
- Your company has confirmed that the third party handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant
- Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically
- Your company does not store any cardholder data in electronic format
This option would never apply to merchants with a face-to-face POS environment.
SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals.
Merchants in Validation Type 2 only process cardholder data via imprint machines, and must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
- Your company uses only an imprint machine to take your customers' payment card information
- Your company does not transmit cardholder data over either a phone line or the Internet
- Your company retains only paper copies of receipts
- Your company does not store cardholder data in electronic format
SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals.
Merchants in Validation Type 3 process cardholder data via stand-alone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. Merchants in Validation Type 3 must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
- Your company uses only standalone, dial-out terminals (connected via a phone line to your processor)
- The standalone, dial-out terminals are not connected to any other systems within your environment
- The standalone, dial-out terminals are not connected to the Internet
- Your company retains only paper reports or paper copies of receipts
- Your company does not store cardholder data in electronic format
SAQ C has been developed to address requirements applicable to merchants whose payment application systems (for example, point-of-sale or shopping cart systems) are connected to the Internet (via highspeed connection, DSL, cable modem, etc.) either because:
1. The payment application system is on a personal computer that is connected to the Internet (for example, for e-mail or web browsing), or
2. The payment application system is connected to the Internet to transmit cardholder data.
Merchants in Validation Type 4 process cardholder data via payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not-present) merchants. Merchants in Validation Type 4 must validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that:
- Your company has a payment application system and an Internet connection on the same device
- The payment application system/Internet device is not connected to any other systems within your environment
- Your company retains only paper reports or paper copies of receipts
- Your company does not store cardholder data in electronic format
- Your company's payment application software vendor uses secure techniques to provide remote support to your payment application system
SAQ D has been developed to address requirements applicable to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under Validation Types 1-4 above.
Service providers and merchants in Validation Type 5 must validate compliance by completing SAQ D and the associated Attestation of Compliance.
While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to wireless technology. See the guidance below for information about the exclusion of wireless technology and certain other, specific requirements.