When determining which PCI SAQ best applies to your organization, sorting through the options can be a daunting task. Choosing the appropriate questionnaire is critical, as well; it as an organization’s written demonstration of PCI compliance. Simply put, a PCI SAQ is the way a business demonstrates that it’s taking the proper measures required to keep cardholder data secure within your organization.

PCI SAQ applies to organizations with less than 6 million transactions (i.e., Merchant Level 2-4). There is not one but a total of nine SAQs to choose from, each with questions and requirements specific to the needs of the business. In this article, Packetlabs will attempt to make sense of the differences and help your organization determine which PCI SAQ is required.

Determining the Right PCI SAQ

First, it is important to note that each PCI SAQ includes its own set of defined security standards that each business must understand and comply to. As expected, different standards will require a different set of questions, thus PCI SAQs vary in length quite significantly. SAQ A contains the smallest list, with only 22 questions, and SAQ D contains the most substantial list with 329 questions.

When determining which PCI SAQ is right for your business, how your organization processes credit cards and handles cardholder data will determine which SAQ your business is required to complete. Fundamentally, the SAQ must suit the processing environment.

Below, we have compiled the details of each PCI SAQ to sort through the weeds and help your organization determine which PCI SAQ is required.

SAQ A

PCI SAQ A is designed for e-commerce/telephone-order/mail-order merchants in which the card is not present and have completely outsourced cardholder data function. There should be no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or business premises.

  • Number of Questions: 22
  • Vulnerability Scan Requirements: None
  • Penetration Testing Requirements: None

SAQ A-EP

PCI SAQ A-EP is designed for e-commerce-only merchants that utilize a third-party service provider to handle their cardholder data and those who have a website that does not handle card data, but could have a direct impact on the security of the transaction. There should be no electronic storage, processing or transmission of any cardholder data on the merchant’s systems of premises.

  • Number of Questions: 191
  • Vulnerability Scan Requirements: Yes
  • Penetration Testing Requirements: Yes

SAQ B

PCI SAQ B is designed for merchants that use imprint machines or standalone, dial-out terminals and have no cardholder storage, transmission or processing. This SAQ is not designed for e-commerce environments.

  • Number of Questions: 41
  • Vulnerability Scan Requirements: No
  • Penetration Testing Requirements: No

SAQ B-IP

The PCI SAQ B-IP is designed for merchants making use of only stand-alone PTS-approved payment terminals which are isolated from other devices on the network, with an IP connection directly to the payment processor. As well, the merchant should have no cardholder data storage on the premises. This SAQ is not designed for e-commerce environments.

  • Number of Questions: 82
  • Vulnerability Scan Requirements: Yes
  • Penetration Testing Requirements: No

SAQ C

PCI SAQ C is designed for any merchant with a payment application connected to the internet, but without electronic cardholder data storage.

  • Number of Questions: 160
  • Vulnerability Scan Requirements: Yes
  • Penetration Testing Requirements: No

SAQ C-VT

PCI SAQ C-VT is designed for merchants that use a virtual terminal on one computer, on an isolated network at one location, that is dedicated exclusively to card processing. The merchant has no cardholder data storage. This SAQ is not designed for e-commerce environments.

  • Number of Questions: 79
  • Vulnerability Scan Requirements: No
  • Penetration Testing Requirements: No

SAQ P2PE

PCI SAQ P2PE is designed for merchants using approved* point-to-point encryption (P2PE) devices with no electronic data storage.

  • Number of Questions: 33
  • Vulnerability Scan Requirements: No
  • Penetration Testing Requirements: No
*P2PE devices must be validated PCI P2PE hardware payment terminals only

SAQ D: Merchants

The PCI SAQ D for merchants is designed for merchants that do not outsource their credit card processing or use a P2PE solution, and may store cardholder data electronically. Simply put, the merchant website accepts payments and does not use a direct post or transparent redirect service when processing cardholder data.

  • Number of Questions: 329
  • Vulnerability Scan Requirements: Yes
  • Penetration Testing Requirements: Yes

SAQ D: Service Providers

The PCI SAQ D for service providers is designed specifically for service providers who are deemed eligible to complete the SAQ. In other words, the SAQ D for Service Providers applies to all service providers defined by a payment brand as being SAQ-eligible.

  • Number of Questions: 329
  • Vulnerability Scan Requirements: Yes
  • Penetration Testing Requirements: Yes

PCI SAQ: Your Organizations Roadmap to Better Security

Completing the questionnaire is one of the best ways for any organization to ensure they aren’t missing any vital business security requirements. The SAQ should not be thought of as simply a roadmap to PCI compliance, but also to a better overall security posture. Further, it’s a safe bet to assume that merchant processors do not want to work with an insecure business, therefore it is understandable that they often require each merchant to provide a PCI SAQ as proof of payment security.

Penetration Testing and Vulnerability Scanning

Of the nine listed PCI SAQ, as per PCI guidelines, only three require penetration testing and vulnerability scanning, SAQ A-EP and SAQ D (both merchants and service providers), and another two, SAQ B-IP and SAQ C require only vulnerability scanning.

At Packetlabs, we’d like to remind all organizations that regardless of whether or not the PCI SAQ indicates the need for penetration testing, this is only with respect to PCI compliance and the protection of credit card information. It does not consider customer privacy, cybersecurity posture or brand image, all of which are crucial to an organization’s success. If you would like more information on anything you read here, or to learn more about how our services can help protect your organization, please contact us today!