Choosing a PCI Self Assessment

All merchants accepting credit cards will be required to fill out a form called the Self Assessment Questionnaire (SAQ) for PCI compliance.  This usually happens when you open an account with a Merchant Service Provider.  The SAQ is a simple self-validation tool to determine your company’s compliance to the PCI requirements.  An SAQ is not a replacement for a full PCI-DSS audit, but rather a step for merchants to take to help mitigate possible losses. 

 Most Merchant Service Providers will ask you how you’ll be accepting cardholder data.  Then they will send you an SAQ.  What many merchants don’t know, is there are different SAQs depending upon how you accept cardholder data.  Here is a table taken from:


  • SAQ A:  Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
  • SAQ B:  Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
  • SAQ C-VT:  Merchants using only web-based virtual terminals, no electronic cardholder data storage.
  • SAQ C:  Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
  • SAQ D:  All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.


More detailed descriptions can be found in a supporting document that I HIGHLY suggest you read if you’re at all confused.  The document is titled “SAQ Instructions and Guidelines” (v2.0 as of this writing):

(This link includes a list of downloadable SAQs as well)


Using a PCI-DSS compliant service like Cart32 allows you to defer most of the responsibilities in the SAQ to us.  We dedicate a lot of time and energy to create a PCI compliant solution for our Cart32 software and Merchant Account services.  The result is a turn-key solution for merchants that removes about 99% of the hassle of PCI-DSS compliance and general security concerns.


Leave a Reply

Log in