The PCI DSS Self-Assessment Questionnaire is a validation tool developed by the PCI SSC to assist merchants and service providers in self-evaluating their compliance with the PCI DSS.
All merchants and their service providers are required to comply with the PCI DSS in its entirety and, if they are eligible for self-assessment, to attest that they comply by using the standard Attestation of Compliance (AoC) document. New Self-Assessment Questionnaires and Attestations of Compliance were released in 2016 to meet the requirements of version 3.2 of the PCI DSS.
In the last versions of the questionnaire, there were nine validation categories (see Table 3), each of which can be downloaded from: www.pcisecuritystandards.org/document_library.
Table 3: Self-Assessment Questionnaire validation categories
SAQ validation type |
Description |
A |
Card-not-present (e-commerce or mail/telephone order) merchants that outsource all cardholder functions and have no direct control over storing, processing or transmitting cardholder data. All payment pages originate from third parties. This never applies to face-to-face merchants. |
A-EP |
Partially outsourced e-commerce merchants, using a third-party website for payment processing. The merchant’s website only controls how cardholder data is redirected to a third-party payment processor. No electronic storage, processing or transmission of CHD. Only applies to e-commerce channels. |
B |
Imprint only or standalone, dial-out (via a phone line) terminal merchants. No transmission of cardholder data over data networks, no electronic storage of CHD. Not applicable to e-commerce channels. |
B-IP |
Merchants with standalone IP-connected, PTS-approved terminals, the only transmission is from the terminal to the payment processor (isolated connection), no electronic storage of cardholder data. Not applicable to e-commerce channels. |
C |
Merchants with payment applications connected to the Internet, but isolated from the rest of the environment. The physical location of the POS is not connected to other locations (single LAN only). No electronic storage of cardholder data. Not applicable to e-commerce channels. |
C-VT |
Merchants with web-based virtual payment terminals in which the virtual terminal system is isolated from the rest of the environment. No attached card readers and no electronic storage of cardholder data. Not applicable to e-commerce channels. |
D (Merchants) |
All other SAQ-eligible merchants that do not meet the criteria for any other SAQ. |
D (Service Providers) |
All SAQ-eligible service providers. |
P2PE-HW |
Merchants using hardware payment terminals in a PCI-listed P2PE solution. No electronic cardholder data storage, no electronic processing or transmission of cardholder data outside of the P2PE solution. Not applicable to e-commerce channels. |
3.15.22.202