How to Pick the Correct Type of SAQ (Self-Assessment Questionnaire) for Your Business
Data breach is a serious matter of concern for any business. Large corporations lose millions following a data breach, but for small to medium-size companies, a data breach can become the end of their business. Have a look at some of the examples of the most recent data breaches here. Many of the companies on the list are well-known brands who invest substantial resources in their cybersecurity and yet they get hacked.
That’s why maintaining PCI compliance status on your account is extremely important and we are committed to supporting you every step of the way through this process. Let’s start with an SAQ, a self-assessment questionnaire designed to help you better understand the correct processes while handling sensitive cardholders’ information.
There are 8 types of SAQ and it’s important to pick the right type for your business model. Your PCI (Payment Card Industry) compliance portal will present you with a series of questions that will help you choose the correct SAQ, but it’s important to understand what is being asked first. Let’s go over different SAQ types to help you determine which one is for you.
SAQ Type: A (24 Questions)
Type A is designed for card-not-present e-commerce businesses that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers. These businesses do not electronically store, process, or transmit any cardholder data using their own systems. This SAQ type is not applicable to the face-to-face channel. This business model doesn’t require a scan in addition to completing an SAQ.
SAQ Type: A-EP (192 Questions)
Type A-EP is designed for e-commerce businesses that partially outsource all payment processing to PCI DSS validated third parties and have the website(s) that are being hosted by the business itself and can impact the security of the payment transaction. These businesses process or transmit cardholders’ data on the merchant’s systems or premises. These businesses require a scan. A-EP SAQ type is applicable only to e-commerce channels.
SAQ Type: B (41 Questions)
Type B is designed for merchants using standalone dial-out (phone and GPRS connection) terminals with no electronic data storage. These businesses don’t need a scan as there is no electronic storage, transmission or processing involved.
SAQ Type: B-IP (87 Questions)
Type B-IP is designed for businesses using a standalone payment terminal with an IP connection (wire or wireless) where there is no electronic data storage involved. These merchants need to pass a scan.
SAQ Type: C (160 Questions)
Type C is designed for merchants who use POS software via IP connection and a card reader for virtual terminals. This type is not applicable to e-commerce businesses and these merchants require a scan.
SAQ Type: C-VT (84 Questions)
Type C-VT is designed for merchants that use virtual terminals and manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic data storage is involved. These merchants don’t need to pass a scan.
SAQ Type: P2PE (33 Questions)
P2PE stands for point-to-point encryption. It’s a standard established by the PCI Security Standards Council. P2PE payment security solution instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment. There is no electronic data storage involved. These businesses don’t need to complete a scan.
SAQ Type: D (330 Questions)
This SAQ type is designed for businesses that do store cardholders’ data or who have been identified in previous data breaches. These merchants do need to complete a scan and perform a penetration test.