Once you have completed your business profile in the compliance portal, you will be assigned a SAQ (Self-Assessment Questionnaire)–which is how your business accepts payments:
Face to face - transactions made where the card holder is physically present.
E-commerce - via a customer facing website that takes card payments.
Mail or telephone orders (MOTO) - payments made over the phone or mail ordering services.
Other key factors:
Payment Method - The type and setup of the solution your business uses to accept and process payments.
Storage of data - If you store any cardholder data electronically, you will automatically be assigned an SAQ D. The SAQ D includes all the security measures necessary to securely store electronic cardholder data.
Below is list and high level description of the SAQ types:
- SAQ A: Merchants who have outsourced all account data functions to PCI DSS compliant third parties
- SAQ A-EP: Merchants who partially outsource e-commerce payment channels to PCI DSS-compliant third parties.
- SAQ B: Merchants who use imprint-only, or standalone, dial-out terminals.
- SAQ B-IP: Merchants who use standalone, PCI PTS-approved point-of-interaction (POI) devices connected via IP.
- SAQ C-VT: Merchants who manually enter account data from an isolated computing device into an Internet-based virtual payment terminal connected via IP.
- SAQ C: Merchants with point-of-sale (POS) systems or other payment application systems connected to the Internet.
- SAQ P2PE: Merchants who only process account data via payment terminals from a validated PCI-listed Point to Point Encryption (P2PE) solution.
- SAQ SPoC: Account data processed only using a validated PCI-listed Software-based PIN Entry on COTS (SPoC) Solution
- SAQ D: Merchants applies to all other self-assessment eligible merchants not meeting the criteria for any other SAQ type.