PCI Compliance SAQ
Overview
Your payment processor, merchant account, or bank may ask you to fill out a PCI compliance Self Assessment Questionnaire (SAQ). This is a very common and completely normal request, and if you accept credit cards, you will probably be asked to fill out a SAQ on a quarterly or yearly basis.
The SAQ is a very simple way for your payment processor to ensure that you are not doing anything insecure with respect to processing credit cards. It's a basic security practice which helps combat credit card fraud and ensure that merchants like yourself are handling credit cards in a secure manner.
The SAQ should take a very short amount of time to complete, and can generally be completed on your own or with a minimal amount of assistance from the ChargeOver team.
Which SAQ Do I Need?
There are many versions of the PCI SAQ. The one you choose depends on what you do with credit card numbers.
In general, most ChargeOver customers should fill out SAQ A or SAQ A-EP.
SAQ A
SAQ A applies to card-not-present merchants (e-commerce/online/mail/telephone order) who have completely outsourced all cardholder data processing functions and do not store or transmit credit card data.
SAQ A is usually a fairly trivial exercise for merchants and the requirements address two primary areas.
- Make sure you don't store paper copies of credit card numbers
- Make sure you keep a list of service providers (usually that list will be ChargeOver, and your payment gateway)
If you do NOT use any ChargeOver developer libraries or APIs, then you probably need SAQ-A.
SAQ A-EP
SAQ A-EP is very similar to SAQ A, but adds provisions for merchants who accept or process credit cards securely through their own websites.
If all elements of the payment form originate from the payment processor (e.g. your own website does NOT accept credit cards in any way) then SAQ A can be used instead. Otherwise, use SAQ A-EP.
If your website uses our developer-focused ChargeOver.js libraries, or passes credit card data to ChargeOver using our developer REST API, you probably need SAQ A-EP.
SAQ B
SAQ B is for merchants who do not store credit card data, and who process payments either by standalone terminals or imprint-only machines.
This SAQ is probably not applicable to you.
SAQ B-IP
This SAQ is for merchants who process payments via standalone PTS-approved point-of-interaction devices. For example: cash registers, or iPad apps which accept payments.
This SAQ is probably not applicable to you.
SAQ C-VT
This SAQ is most commonly used by call centers who enter card details manually. It never applies to e-commerce businesses.
This SAQ is probably not applicable to you.
SAQ C
SAQ C normally applies to small brick-and-mortar merchants who do not accept any credit card data electronically or via the Internet.
This SAQ is probably not applicable to you.
SAQ P2PE
This SAQ is for merchants where credit card data is only ever keyed directly into a P2PE validated hardware device and there is no electronic storage of credit card data.
This SAQ is probably not applicable to you.
SAQ D
SAQ D is the final SAQ and applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers. SAQ D encompasses the full set of over 200 requirements and covers the entirety of the PCI DSS.