As a merchant accepting credit and debit card payments, you come face to face with confusing industry acronyms every day. There’s EMV, POS, ACH, SCA – it’s a lot to stay on top of!
As a double acronym, then, PCI SAQ is doubly confusing.
Which is why, below, we’re explaining exactly what PCI SAQs are, why they’re important, and which one you need to choose for your business.
Better still, we’re diving deep into the different types of SAQ to help you understand which one you need – and whether your business can fall into more than one SAQ.
So let’s begin by asking the first question on your lips: what is PCI SAQ, exactly?
What is PCI SAQ?
PCI SAQs (Self-Assessment Questionnaires) are a set of questionnaires developed by the Payment Card Industry Security Standards Council (PCI SSC).
As a merchant, SAQs are designed to help you self-assess your compliance with PCI DSS (Payment Card Industry Data Security Standard) regulations. (These are standards in place to protect the security of a customer’s payment card data in a transaction, and lower the risk of fraud and data breaches.)
Understanding how your business is faring in terms of PCI compliance is crucial – because all merchants who accept credit and debit card payments must remain PCI compliant. And all merchants who handle card data – no matter how much, or how little – must complete an SAQ.
Why are PCI SAQs required?
So – why are PCI SAQs so important?
Well, first and foremost, PCI SAQs are your business’s way of demonstrating to your customers that you’re taking the security measures required to safeguard their debit and credit card information. PCI compliance does, after all, protect consumers from financial losses, and goes a long way towards mitigating the impact of fraud on your own business’s revenue and reputation.
Secondly, PCI SAQs – an integral part of PCI DSS compliance – are mandated by the major card schemes (including Visa, Mastercard, Discover, and American Express). And, while not a law, PCI compliance is still baked into contracts you’ll sign with these schemes.
Failing to comply comes with (often severe) consequences, too. Depending on the severity of the PCI non-compliance, monthly fines can range from $5,000 to $100,000.
Thirdly, SAQs provide vital consistency: a structured framework for companies of differing sizes, and across different industries, to assess their security practices. PCI SAQs create a level of uniformity and comparability that help card schemes evaluate compliance consistently.
That said, when it’s time to complete an SAQ, don’t do it for the card schemes – do it for your business. To avoid fines. Understand any weaknesses in your existing data security setup. And bolster your business against fraud – while setting it up for the future.
Whether you achieve all that will, of course, hinge on the question: which SAQ do you need?
Which PCI SAQ do I need?
There are nine different SAQs available, all with differing lengths and levels of complexity.
The shortest contains 22 questions; the longest has 329 (don’t panic, though – you’ll only have to fill out one!) The PCI SAQ category you fall into will depend on several factors specific to your business, such as:
- Which types of payments you process, and through which platforms
- How you store and transmit cardholder information
Below, we’re breaking down the PCI SAQ categories in 2023, to help you understand which one’s right for you.
SAQ A
If you’ve outsourced all your cardholder data processing functions to an external, PCI compliant payment service provider (such as Checkout.com), you’ll qualify for SAQ A.
It’s designed for merchants that rely entirely on third-party payment service providers to handle cardholder data, and where the merchant has no impact over the security of the transaction.
SAQ A is the simplest, most streamlined questionnaire; and, at just 22 questions, the shortest.
SAQ A-EP
If your business primarily deals in ecommerce transactions, has outsourced its payment processing to a third-party provider – yet still has a limited level of interaction with cardholder data through its website – it’ll most likely be eligible for SAQ A-EP.
Unlike with SAQ A – where businesses redirect customers to a third-party payment gateway to complete the transaction – SAQ A-EP applies to businesses that do have some involvement with cardholder information. The merchant may collect the cardholder’s name, card number, and expiry date to send to the payment service provider to authorize; however, they are not allowed to process, store, or transmit this information.
Essentially, SAQ-EP is for any online merchants with processes that could impact a transaction’s security. Because of this, the questionnaire is more complex, with its 191 questions placing it behind only SAQ D (329 questions) for length.
SAQ B
If you process payment card transactions through imprint machines or standalone, dial-out terminals, you’ll be eligible for SAQ B.
SAQ B isn’t for ecommerce environments; in fact, it’s more common in situations where internet connectivity isn’t available (or even necessary) to process payments; and which relies on telephone lines, instead.
SAQ B merchants do have (albeit limited) exposure to cardholder data, in that they need to capture and store it for later authorization. However, the important bit is that they don’t do this electronically; and instead use an imprint machine to capture these sensitive details on paper.
Because these devices are offline, and isolated from network-connected devices, this cardholder data is less vulnerable to cyber threats or online data breaches.
SAQ B’s lower risk profile means it’s one of the shortest SAQs, with just 41 questions.
SAQ B-IP
If you process credit and debit card payments through standalone, IP (Internet Protocol)-connected point-of-sale (POS) terminals – like the card readers you see on most bricks-and-mortar store countertops – you’ll be eligible for SAQ B-IP.
Unlike the devices in SAQ B, these terminals are connected to the internet for the purposes of payment processing. And, while they do require the entry of cardholder data – where it’s processed and sent to the payment processor for authorization – they don’t store cardholder data electronically, remaining isolated from other devices on the network.
SAQ B-IP contains 82 questions.
SAQ C-VT
If your business processes card-not-present (CNP) transactions through a virtual terminal or web-based payment application, you’re most likely looking at completing a SAQ C-VT.
SAQ C-VT merchants primarily take payments over the phone (call centers, for example, or businesses specializing in mail order/telephone order (MOTO) payments). They don’t capture card details electronically, but manually: usually by typing them into a virtual terminal.
Merchants using SAQ C-VT enter, process, and transmit cardholder data for authorization; but, once it’s cleared, don’t retain this information electronically. SAQ C-VT has 79 questions.
SAQ C
If your business uses internet-connected devices to process payments, you’ll likely fall into the SAQ C category.
SAQ C merchants process payments through several internet-connected means, including:
- A virtual terminal or IP terminal for phone-based payments
- A mobile card reader or tokenized POS system for in-store payments
- Their own website or app for online payments
After relaying cardholder data to their payment service provider to authorize the transaction, SAQ C merchants don’t electronically hold on to cardholder data.
SAQ C is the third-longest questionnaire, with 160 questions.
SAQ P2PE-HW
Despite having the longest name – it stands, in full, for Self-Assessment Questionnaire Point-to-Point Encryption Hardware – SAQ P2PE-HW is the second-shortest questionnaire, with only 33 questions.
SAQ P2PE-HW is for you if your business uses validated point-to-point encryption (P2PE) hardware solutions to safeguard sensitive cardholder data. P2PE encodes your customers’ credit and debit card information at your POS terminal – rendering it unreadable until it arrives safely at the secure decryption environment of your payment processor.
Merchants who qualify for SAQ P2PE-HW still don’t electronically store cardholder data after the transaction has been authorized; after it’s encrypted, the merchant doesn’t see it again.
SAQ D
With 329 questions, SAQ D is the longest and most comprehensive questionnaire here. It’s designed for merchants and payment service providers that don’t fall into the categories covered by the more specific SAQ types (SAQ A, B, and C).
Generally, SAQ D is for organizations that store, process, and transmit cardholder data in a multitude of different ways – and play in more diverse, dynamic payment processing environments. This could include businesses that make unscheduled payment agreements, for instance: which require storing a customer’s card details for use in later transactions.
If your business accepts payments online, for example – but doesn’t use a direct post or transparent redirect service – you’ll most likely be categorized as SAQ D. Similarly, if your in-person POS system doesn’t utilize tokenization or P2PE, or if you store card data electronically (regardless of the method), you’ll be eligible to fill out this questionnaire.
SAQ D also applies to any merchants categorized as a financial institution looking to accept Mastercard payments (or payments involving a full card number). To find out more about the additional regulatory requirements for financial institutions, read our full guide.
Can I fall into two different PCI SAQs?
While you may notice some overlap between the different PCI SAQs as they relate to your situation, your business should generally fall only into one category at a time – and this needs to be based on your primary method of processing cardholder data.
After all, each PCI SAQ has been designed to align with different, specific payment scenarios and environments – so businesses are generally only meant to complete one SAQ category alone. However, there may be some exceptions, where more than one SAQ (or a switch to a different SAQ) could be required.
Possible examples include:
- If your business has several different locations or business models that each processes cardholder data differently.
- If your business has segmented its cardholder data environment to handle cardholder data in different ways.
- If your business has changed your primary method of taking payments.
If you’re struggling to select the PCI SAQ that’s the best fit for your business, talk to your payment processor or acquiring bank for advice. If you’re really stuck – or are a business with more complex payment processing needs – you can engage a Qualified Security Assessor (QSA). These are experts who can provide a more comprehensive assessment of your security and compliance needs; and offer up more detailed, tailored guidance.
How Checkout.com can help you with PCI compliance
At Checkout.com, we’re Level 1 PCI DSS compliant – the highest standard possible.
This already takes a lot of the burden of PCI compliance off the merchants we work with – especially as, by processing payments and cardholder data for them, our unified payments platform can limit the amount of work they have to do to stay compliant.
By offering merchants ways to accept hosted payments, for instance (including payment links, frames, and hosted payment gateways), we can help them achieve PCI compliance SAQ A – the easiest (and shortest) questionnaire to fill out.
We also help our merchants renew and validate their PCI DSS certification through our partnership with SecurityMetrics, a leading merchant data security solutions provider and QSA.
SecurityMetrics is licensed to certify merchants as PCI compliant; and, after you complete your SAQ with them, they’ll award you with an Attestation of Compliance (AOC).
Want to find out more about how Checkout.com can help you get (and stay) up to speed with your business’s PCI compliance obligations? Explore our documentation for the most comprehensive take, or get in touch with our team to start the conversation.
Learn more: Opportunities presented by PCI DSS 4.0
The contents of this blog post do not constitute legal advice and are provided for general information purposes only.