Accepting payment cards spans industries, even businesses that would not necessarily consider themselves to be a "merchant" in terms of traditional brick & mortar retailers. However, any company that accepts payment via debit and/or credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). Some businesses choose to segment off the cardholder environment and manage it by its own unique policies and standards. Other businesses address PCI DSS requirements as part of its overall policies and standards. Either way works and ComplianceForge offers solutions for both approaches!
SAQs are requirements for smaller merchants and service providers that are not required to submit a Report on Compliance (ROC). It is designed as a self-validation tool to assess security for cardholder data that uses a series of yes-or-no questions for each applicable PCI DSS requirement.
There are different questionnaires available to meet different merchant environments. Merchants are required to identify the SAQ that best describes how it accept payment cards. Some organizations may even need to fill out different SAQs, based on different methods of accepting payment (e.g., SAQ A for its website and SAQ C for its "brick & mortar" store locations). If you are not sure which questionnaire applies to you, contact your merchant services provider for assistance or review the official PCI Security Standards Council's guidance on "assessing the security of your cardholder data" to help determine the appropriate SAQ type for your organization - https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
ComplianceForge sells its PCI DSS Policies & Standards based on the SAQ type (shown below):
| SAQ Type | Method of Accepting Payment Cards | E-Commerce | In-Person |
| A |
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
Yes | No |
| A-EP |
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels. |
Yes | No |
| B | Merchants using only:
|
No | Yes |
| B-IP |
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
No | Yes |
| C |
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
No | Yes |
| C-VT |
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
No | Yes |
| D (Merchant) | All merchants not included in descriptions for the above types. | Yes | Yes |
| D (Service Provider) | All service providers defined by a payment card brand as eligible to complete a SAQ. | N/A | N/A |
You can click on the matrix below for a downloadable PDF that shows the PCI DSS v4 controls as they apply to the SAQ levels:
For the SAQ types that were listed above, ComplianceForge offers the following PCI DSS v4.0 cybersecurity policies & standards templates:
Note: This version is specific to Self-Assessment Questionnaire (SAQ) A for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) A-EP for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) B for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) B-IP for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) C for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) C-VT for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies &...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) D-Merchant for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity Policies...
Note: This version is specific to Self-Assessment Questionnaire (SAQ) D-Service Provider for PCI DSS v4.0. If you are not sure what SAQ level you need, please review the official PCI Standards Council site. PCI DSS v4.0 - Cybersecurity...
Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminolo...
Within the Defense Industrial Base (DIB), there is considerable confusion about the concept of "FedR...
Threat vs Vulnerability vs RiskThreat, vulnerability and risk management practices are meant to achi...
Policy vs Standard vs Control vs Procedure When it comes to cybersecurity compliance, words...
