PCI SAQ Types: Which SAQ is Right for Your Business?

Dec 8, 2023 | Security

Merchants and service providers that accept, store, or manage card payments are required to establish PCI compliance using a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ). Most card companies’ PCI validation programs allow merchants and service providers with a lower volume of card transactions, among other factors, to submit an SAQ. With 9 PCI SAQ types to choose from, selecting and completing the SAQ that best fits your payment environment might be challenging.

In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select an SAQ that’s right for your business.

What is a PCI DSS SAQ?

PCI DSS SAQs are validation documents that eligible merchants and service providers must submit to their acquiring bank or payment card brand to demonstrate compliance with PCI requirements.

Every PCI SAQ comes with four major sections that cover different information, including:

  1. The scope of the assessment
  2. The SAQ eligibility criteria
  3. Applicable PCI requirements for the environment identified in the SAQ criteria.
  4. Attestation on Compliance

If an entity cannot meet a certain applicable PCI requirement due to any legitimate technical or business limitations, they can submit a compensating controls worksheet to show they have other controls in place that tackle the associated risk.

Learn more about the baseline PCI DSS requirements and compliance validation in our blog post, ‘What are the 12 PCI DSS requirements for compliance?’

testing-icon

SAQ types for PCI DSS v4.0

There are 9 types of SAQs for PCI DSS v4.0, including the new SPoC. Here is an overview of each SAQ and its eligibility criteria.

R

SAQ A

This SAQ is for e-commerce or mail/telephone-order merchants who have completely outsourced all cardholder account data functions to a PCI-compliant service provider. No cardholder data is processed, stored, or transmitted on their systems or premises. For instance, merchant websites with URL redirection to a compliant third-party service provider.
R

SAQ A-EP

This one is applicable to e-commerce merchants who partially outsource payment processing to PCI-compliant third parties. While these merchants do not process, store, or transmit cardholder data on their systems, they do have websites with payment pages that impact the security of the transaction.
R

SAQ B

Merchants – not operating in e-commerce channels – that use imprint machines or standalone, dial-out terminals without electronic data account storage are eligible to submit an SAQ B. No electronic data storage.
R

SAQ B-IP

This document is for merchants that use only standalone, approved PIN Transaction Security (PTS) point-of-interaction devices with an IP connection to the payment processor. Not for e-commerce environments. No electronic data storage.
R

SAQ C-VT

This SAQ applies to merchants using a third-party virtual payment terminal with an isolated computing device and secure web browser. No electronic data storage. Not applicable to e-commerce channels.
R

SAQ C

Merchants that use payment systems that are connected to the internet, without any electronic account data storage, can submit an SAQ C. No electronic data storage. Not for e-commerce channels.
R

SAQ P2PE

This one applies to merchants using a validated point-to-point encryption solution with no access to clear-text account data. No electronic data storage. Not for e-commerce channels.
R

NEW! SAQ SPoC

This is a newly introduced SAQ for PCI DSS v4.0. Merchants that use a commercial, off-the-shelf mobile device with a validated card reader are eligible to submit this SAQ. Entities should not have access to clear-text account data or require electronic account data storage. Not for e-commerce channels.
R

SAQ D

This document has two types – one for merchants that do not fit any of the other SAQ eligibility criteria, and one for eligible service providers. With over 300 questions, SAQ D is the lengthiest and most demanding SAQ type.

PCI DSS definitions of merchant VS. service provider.

According to the PCI Security Standards Council, a merchant is defined as any organization that accepts payment cards issued by American Express, Discover, JCB, Mastercard, and Visa. A service provider, on the other hand, is any entity that stores, processes, or transmits cardholder data for other merchants or similar entities.

Which PCI SAQ type is right for you?

Selecting the right SAQ is essential to achieve and maintain PCI compliance. Some of the key factors that will determine which PCI SAQ is right for your business include how you process payments and manage cardholder data, as well as whether you are a merchant or service provider.

If you are a service provider, then the choice is simple since SAQ D – Service Provider is the only applicable assessment for such entities. However, for merchants, there are nine different SAQ types, so the selection process is more challenging.

As a merchant, one of the first things to consider is how you handle cardholder data. If you accept account data on your website, by phone, or electronically store cardholder account data, then you are required to submit a SAQ D – Merchant.

On the other hand, if you don’t store cardholder data, then look for an SAQ that aligns with your payment environment. For instance, if you’re an e-commerce merchant with a website that includes an embedded payment form from a compliant third-party vendor, then you will be eligible to submit an SAQ A.

Working with a Qualified Security Advisor (QSA), trained and certified by the PCI Security Standards Council, can help simplify the process of selecting and completing an SAQ.

audit icon

Can you submit multiple SAQs for PCI compliance?

If your business uses multiple payment channels that are isolated from each other, then you might be able to submit different SAQs instead of one SAQ D. At this stage, it’s best to consult with your acquiring bank or a QSA for guidance to streamline the selection process and ensure you pick the right assessment documents for your payment environments.

Need assistance with completing your PCI SAQ?

GraVoc’s professional team of PCI DSS consultants and QSAs can help your business select and submit the right PCI DSS Self-Assessment Questionnaire! Our trained team can also provide the documentation and perform the security assessments necessary to demonstrate compliance with your PCI SAQ requirements.

Click below to check out our PCI compliance services or contact us today to get started!

PCI Compliance Services
contact us

Related articles