Assessing the Security of Your Cardholder Data

Ideal for small merchants and service providers that are not required to submit a report on compliance, a Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data.

The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.

There are different questionnaires available to meet different merchant environments. You can easily find the Self-Assessment Questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance.

Complete Your Assessment

There are two components to the Self-Assessment Questionnaire:

  1. A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
  2. An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. An appropriate Attestation will be packaged with the Questionnaire that you select.

Questionnaire
How do you accept payment cards?
Questionnaire:A
How do you accept payment cards?:
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
Questionnaire:A-EP
How do you accept payment cards?:
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
Questionnaire: B
How do you accept payment cards?:
Merchants using only:
  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire:B-IP
How do you accept payment cards?:
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire:C-VT
How do you accept payment cards?:
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire:C
How do you accept payment cards?:
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire:P2PE-HW
How do you accept payment cards?:
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire:D
How do you accept payment cards?:
For Merchants: All merchants not included in descriptions for the above types.
Questionnaire:D
How do you accept payment cards?:
For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.