What type of SAQ could be applicable to me as a merchant?

If a merchant is eligible to use SAQs, then the type is strongly dependent on the type of integration and the fact whether the merchant ever touches card numbers (PAN) and sensitive authentication data (e.g. CVC, Track2, …)

In order to identify the type of SAQ the merchant should consult the acquiring bank. The acquiring bank will provide the details regarding your particular PCI DSS validation requirements. When being eligible for SAQ and having access to card data being the PAN, CVC, …; typically the acquiring bank will require you to fill in the SAQ-D questionnaire.

However when you as merchant do not have access to any card holder data and the processing of the payment flows is outsourced to a PCI compliant payment service provider (PSP); then the acquiring bank could opt for either a SAQ A or SAQ A-EP.

For more information, see Understanding SAQs for PCI DSS v3.

Get started

Integration Solutions

Payment methods

Payment Performance

Security

News

What type of SAQ could be applicable to me as a merchant?