Self-Assessment Questionnaires (SAQ) types
SAQ A
-
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party
service providers
-
No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises
-
Not applicable to face-to-face channels
SAQ A-EP
-
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder
data but that can impact the security of the payment transaction
-
No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises
-
Applicable only to e-commerce channels.
SAQ B
-
Merchants using only: Imprint machines with no electronic cardholder data storage
-
Standalone, dial-out terminals with no electronic cardholder data storage
-
Not applicable to e-commerce channels.
SAQ B-IP
-
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor
-
No electronic cardholder data storage
-
Not applicable to e-commerce channels.
SAQ C-VT
-
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI
DSS validated third-party service provider
-
No electronic cardholder data storage
-
Not applicable to e-commerce channels.
SAQ C
-
Merchants with payment application systems connected to the Internet
-
No electronic cardholder data storage
-
Not applicable to e-commerce channels.
SAQ P2PE-HW
-
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution
-
No electronic cardholder data storage
-
Not applicable to e-commerce channels
SAQ D (Merchant)
-
All merchants not included in descriptions for the above SAQ types
SAQ D (Service Providers)
-
All service providers (NOT merchant) defined by a payment brand as eligible to complete a SAQ
EMVCo certification levels
Level 1: Hardware
-
Device/terminal meets physical requirements, electromagnetic and communication protocols and operating distance tests.
-
Applies to both contact EMV and contactless EMV.
-
The hardware supplier is responsible for Level 1.
Level 2: Software Kernel / Library
-
The software that facilitates transmission of payment information from credit card.
-
One common specification for EMV contact.
-
Each card brand has own specification for EMV contactless.
-
Typically, hardware supplier is responsible for Level 2, but may depend on software running internally on the payment terminal.
Level 3: Brand certification
-
End-to-end EMV transaction certification consisting of L1 hardware, L2 kernel, payment application, gateway/processor and brand approval.
-
The solution provider is usually responsible for Level 3.
Let us help you with PCI compliance