| SAQ A | - Who should use it: E-commerce merchants who have fully outsourced all cardholder data functions to validated third parties, with no electronic storage, processing, or transmission of cardholder data on the merchant’s systems or premises, or e-commerce merchants who redirect customers to a third-party payment processor.
- Key requirements: Focuses on maintaining policies and procedures, securing physical access to cardholder data, and ensuring that third-party service providers are PCI DSS compliant
|
| SAQ A-EP | - Who should use it: E-commerce merchants who outsource all payment processing to third parties but have a website that does not directly receive cardholder data but can impact the security of the payment transaction.
- Key requirements: Includes requirements for securing the website, managing vulnerabilities, and ensuring secure transmission of cardholder data
|
| SAQ B | - Who should use it: Merchants who process cardholder data only via imprint machines or standalone, dial-out terminals, with no electronic storage of cardholder data.
- Key requirements: Focuses on securing physical access to cardholder data, maintaining policies and procedures, and ensuring secure transmission of cardholder data
|
| SAQ B-IP | - Who should use it: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic storage of cardholder data.
- Key requirements: Includes requirements for securing the payment terminals, managing vulnerabilities, and ensuring secure transmission of cardholder data
|
| SAQ C-VT | - Who should use it: Merchants who manually enter a single transaction at a time via a virtual terminal solution on a computer connected to the internet, with no electronic storage of cardholder data.
- Key requirements: Focuses on securing the virtual terminal, maintaining policies and procedures, and ensuring secure transmission of cardholder data
|
| SAQ C | - Who should use it: Merchants with payment application systems connected to the internet, with no electronic storage of cardholder data.
- Key requirements: Includes requirements for securing the payment application system, managing vulnerabilities, and ensuring secure transmission of cardholder data
|
| SAQ-P2PE | - Who should use it: Merchants using only hardware payment terminals included in a validated, PCI-listed Point-to-Point Encryption (P2PE) solution, with no electronic storage of cardholder data.
- Key requirements: Focuses on securing the P2PE solution, maintaining policies and procedures, and ensuring secure transmission of cardholder data
|
| SAQ D for Merchants | - Who should use it: Merchants not covered by any of the above SAQs, typically those with more complex environments that store, process, or transmit cardholder data.
- Key requirements: Comprehensive coverage of all PCI DSS requirements, including securing cardholder data, managing vulnerabilities, and maintaining policies and procedures
|
