Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. The PCI SSC introduced five different SAQs:
- SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced.
- SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage.
- SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage.
- SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage.
- SAQ D – All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ.
Merchants are eligible to complete only one SAQ covering the entire payment system. So, lets have a look at the following scenarios:
- Merchant A has outsourced its E-commerce payment channel to a Service Provider B.
- Merchant A does not operate any other payment channels.
This model fits an SAQ A. An E-commerce system classifies as Card-not-present transaction and it is outsourced to the Service Provider B. Simple!
- Merchant B has outsourced its E-commerce payment channel to a Service Provider C.
- Merchant B also accept in-house MOTO (Mail Order/Telephone Order) transactions via a virtual-terminal provided by the Service Provider C.
This scenario is more complex. Based on the first statement, Merchant B fits an SAQ A. Based on the second statement, Merchant B fits an SAQ C-VT. So, which SAQ Merchant B should complete; SAQ A, C-VT or both?
The correct answer is SAQ D. SAQ A, B, C and C-VT along with the corresponding Attestation of Compliance (‘AOC’) were designed for merchants operating a single payment channel type. If a merchant operates multiple payment channel types, the only option is to follow the SAQ D.
Download our free guide to SAQ Eligibility Criteria.