SAQ
Type |
Applies to: |
Data Retention |
Processing Method |
| A |
Card-not-present merchants (e-commerce or mail/telephone-order)
*Not applicable to face-to-face channels. Not applicable to service providers. |
Any account data retained by merchant is on paper (for example, printed reports or receipts), and these documents are not received electronically. |
All processing of account data is entirely outsourced to PCI DSS compliant third party service provider (TPSP)/payment processor. |
| A-EP |
E-commerce merchants
*Not applicable to service providers. |
Any account data retained by merchant is on paper (for example, printed reports or receipts), and these documents are not received electronically. |
All processing of account data, with the exception of the payment page, is entirely outsourced to a PCI DSS compliant third-party service provider (TPSP)/payment processor. |
| B |
Brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants
*Not applicable to e-commerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
The merchant uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to the merchant processor) to take customers' payment card information. |
| B-IP |
Brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants.
*Not applicable to e-commerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
The merchant uses only standalone, PCI-listed approved PTS POI devices (excludes SCRs and SCRPs) connected via IP to merchant's payment processor to take customers' payment card information. |
| C |
Brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants.
*Not applicable to e-commerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
The merchant process account data via a point-of-sale (POS) system or other payment application systems connected to the Internet. |
| C-VT |
Brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants.
*Not applicable to e-commerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser. |
| D |
SAQ D for Merchants:
All merchants not included in descriptions for the above SAQ types.
* Not applicable to service providers.
SAQ D for Services Providers:
All service providers defined by a payment brand as eligible to complete an SAQ.
|
SAQ D for Merchants:
E-commerce merchants that accept or store account data, as well as merchants who do not qualify for another SAQ type or have additional PCI DSS requirements.
|
- |
| P2PE |
Card-present or card-not-present (mail/telephone order) merchants.
*Not applicable to e-commerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
All payment processing is via a validated PCI-listed P2PE solution. |
| SPoC |
Attended card-present merchants only (contact chip, contactless, SCRP-based magnetic stripe).
*Not applicable to unattended card-present, mail-order/telephone order (MOTO), or ecommerce channels. Not applicable to service providers. |
Merchant retains only paper reports or receipts with account data, and these documents are not received electronically. |
All payment processing is only via a card-present payment channel. |
