IndyPCI.net




How much is your peace of mind worth?



The descriptions below will help you determine the appropriate SAQ for manual uploads.



SAQ File Download

SAQ A SAQ B SAQ C SAQ C(VT) SAQ D for merchants SAQ D for service providers SAQ A-EP* B-IP* P2PE-HW

SAQ A:
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Not applicable to face-to-face channels. (i.e. eProcessing Network, Authorize.net, Virtual Terminals).

SAQ B:
Merchants using only 'Imprint machines' with no electronic cardholder data storage and/or 'Standalone' dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. (i.e. Hypercom, Nurit, Omni terminals).

SAQ C:
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. (i.e. NPC Secure).

SAQ C(VT):
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. (i.e. NPC Secure).

SAQ D:
for Merchants: All merchants not included in descriptions for the above SAQ types.

SAQ D for Service Providers:
All service providers defined by a payment brand as eligible to complete a SAQ. (i.e. PC Charge, Global Retail).

SAQ A-EP*:
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels.

B-IP*:
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

P2PE-HW:
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. * New for PCI DSS v3.0