SAQ Eligibility Guide

Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. The PCI SSC introduced five different SAQs:

  1. SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced.
  2. SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage.
  3. SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage.
  4. SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage.
  5. SAQ D – All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ.

Merchants are eligible to complete only one SAQ covering the entire payment system. So, lets have a look at the following scenarios:

Scenario 1

  • Merchant A has outsourced its E-commerce payment channel to a Service Provider B.
  • Merchant A does not operate any other payment channels.

This model fits an SAQ A. An E-commerce system classifies as Card-not-present transaction and it is outsourced to the Service Provider B. Simple!

Scenario 2

  • Merchant B has outsourced its E-commerce payment channel to a Service Provider C.
  • Merchant B also accept in-house MOTO (Mail Order/Telephone Order) transactions via a virtual-terminal provided by the Service Provider C.

This scenario is more complex. Based on the first statement, Merchant B fits an SAQ A. Based on the second statement, Merchant B fits an SAQ C-VT. So, which SAQ Merchant B should complete; SAQ A, C-VT or both?

The correct answer is SAQ D. SAQ A, B, C and C-VT along with the corresponding Attestation of Compliance (‘AOC’) were designed for merchants operating a single payment channel type. If a merchant operates multiple payment channel types, the only option is to follow the SAQ D.

Download our free guide to SAQ Eligibility Criteria.


Related Reading

Risk Assessment Guidelines Information Supplement

PA DSS Process Change

7 Security Warning Signals

Mastercard Best Practices for Mobile POS Acceptance

Barclaycard Risk Reduction Programme Position Statement

PCI DSS Cloud Computing Guidelines

Leave a Reply