What is a PCI SAQ?

A PCI SAQ (Payment Card Industry Self-Assessment Questionnaire) is a tool used by merchants and service providers to assess their compliance with the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

There are several types of PCI SAQs, each tailored to a specific type of business and the way it handles credit card transactions. The different SAQ types are:

• SAQ A: For merchants that only use card-not-present (ecommerce or mail/telephone order) transactions and do not store, process or transmit cardholder data on their own systems.
• SAQ A-EP: For merchants that use e-commerce transactions but outsource their payment processing to a PCI DSS-compliant third-party service provider.
• SAQ B: For merchants that use imprint machines or standalone dial-out terminals and do not store, process or transmit cardholder data on their own systems.
• SAQ B-IP: For merchants that use standalone IP-connected payment terminals and do not store, process or transmit cardholder data on their own systems.
• SAQ C: For merchants that process cardholder data via a payment application system and do not store cardholder data on their own systems.
• SAQ C-VT: For merchants that process cardholder data via a virtual terminal and do not store cardholder data on their own systems.
• SAQ D: For merchants that store, process, or transmit cardholder data on their own systems.

Merchants and service providers must complete the appropriate SAQ and submit it to their acquiring bank or payment brand to demonstrate their compliance with PCI DSS. However, some businesses may require an on-site assessment by a Qualified Security Assessor (QSA) instead of completing a SAQ.