How we determine your Self Assessment Questionnaire (SAQ) type and what each one means.

Once you have completed your business profile in the portal, you will be assigned an appropriate SAQ. There are three main factors that impact assignment of SAQ type:

  1. Acceptance channel – how your business accepts payments:
    • Face to face – transactions made where the card holder is physically present.
    • Ecommerce – via a customer facing website that takes card payments.
    • Mail or telephone orders (MOTO) – payments made over the phone or mail ordering services.
  2. Point of sale setup – what type of terminal/setup your business uses to process payments.
  3. Storage of data – if you store any cardholder data electronically, you will automatically be assigned a high-risk SAQ type.

SAQs can be broken into categories based on what a business uses to take payments

SAQ A relates to merchants that fully outsource the acceptance and processing of card payments and account data handling, including those that entirely outsource their call center/order fulfillment as well as e-commerce merchants
SAQ A-EP relates to merchants that partially outsource their e-commerce payment channel to PCI DSS compliant third parties
SAQ B, SAQ B-IP (internet) & SAQ B-IP (GPRS) relate to standalone card terminals/card machines
SAQ C-VT entry of account data into an Internet-based virtual payment terminal (Virtual Terminal or VT)
SAQ C relate to a iPOS/ePOS systems OR a mobile/tablets
SAQ P2PE relates to the acceptance and processing of card payments using a validated PCI-listed Point to Point Encryption (P2PE) Solution
SAQ D (composite) if the merchant has multiple ways of taking payments under the one MID (merchant ID number)
SAQ D if the merchant has any high-risk activity present e.g. Storing card information, recording calls, receiving card details via email etc
SAQ SPoC if account data is processed only using a commercial off the shelf mobile device with a secure card reader-PIN, as part of a validated PCI-listed SPoC Solution