An SAQ or self-assessment questionnaire is a validation test for merchants accepting credit and debit card payments, per the requirements of PCI DSS (Payment Card Industry Data Security Standard). Merchants must take the SAQ mainly to stay in compliance, and those ignoring the assessment or submitting an inaccurate assessment can be penalized or put at risk of data loss. As of the time of this writing, there are nine SAQ types from which a merchant can choose when they wonder what PCI SAQ is needed, with the decision depending on how transactions and card information are handled. The PCI SAQ types are discussed in the sections below.
PCI SAQ Types
Sellers who accept payments without the physical presence of a card must typically take SAQ A. Most of these businesses outsource payment processing to third parties and do not store card data. These CNP (card not present) merchants often transact through telephone, mail and online orders. If a merchant falls into this category, the payment processor must also comply with PCI standards.
This is one of the newest SAQs, and it has a few minor differences from SAQ A. A merchant that partially outsources payment processing, but retains some control, must take SAQ A-EP. Recent PCI updates mean that many vendors who previously took SAQ A must now take the new version. The requirements applies only to e-commerce vendors that do not retain customers’ data.
This type of SAQ is not used by e-commerce suppliers, but by brick and mortar retailers that use isolated terminals and imprint machines for payment processing. Here, customers’ card info may be stored in hard copy format, but not digitally. Although SAQ B does not apply to e-commerce, it is common for businesses in this group to do MOTO payments.
This SAQ type isn’t applicable to e-retailers, but it is used by merchants handling in-person transactions and MOTO requests. A recent addition to PCI guidelines, SAQ B-IP is for businesses processing payments over an IP link through a POI (point of interaction) device. Vendors in this category must keep payment devices isolated, and they do not electronically store card information.
Simply, SAQ C is for sellers handling payments over the internet without retaining card info. SAQ C is not applicable to e-commerce sellers, but to small businesses who use online apps to process card payments. Businesses in this group handle MOTO, CNP and in-person transactions.
P2PE is an acronym for point-to-point encryption. SAQ P2PE is another new addition to PCI, and it applies to vendors handling payments through P2PE certified terminals. Yet again, this type of SAQ is not used by e-retailers.
If a business cannot determine which PCI SAQ, or it does not meet criteria for other SAQ types, it uses SAQ D. Apart from its use in validation assessment, SAQ D is the only option applying to providers for PCI compliance. It is one of the most difficult SAQs, in that merchants must meet more than 200 requirements encompassing PCI DSS rules. SAQ D is used by sellers who store card information during payment processing.
This is the most current list of SAQs according to the latest version of PCI DSS. SAQs are a vital component of secure payments, and they serve purposes other than being a compliance standard. For these reasons, payment processors and card issuers prefer to work with vendors who have taken an SAQ as proof of data security and due care.