Contact Us

Home / PCI / SAQ Adveice

PCI SAQs

If you process under 6 million Visa or MasterCard transactions per year, you may be able to file a "Self-Assessment Questionnaire" (SAQ) to meet Payment Card Industry (PCI) requirements. Recently, PCI made a change that allows merchants to complete multiple SAQs for different payment methods instead of defaulting to SAQ D.

Most companies need external support to meet -- and ensure compliance with -- the SAQ requirements. This tool helps you to understand which SAQ(s) apply to your business and provides links to their contents so you can decide if you would like to contact ThreeShield to support your PCI compliance requirements.

PCI SAQ Selector

Check any of the following that apply to you and we'll make sure you get the right SAQ and provide advice to reduce your PCI requirements:
How many Visa or MasterCard (whichever is higher) transactions do you process through a website per year?
none
 1 to 19,999
 20,000 to 1 million
 1 to 6 million
 over 6 million

How many Visa or MasterCard (whichever is higher) transactions do you process through any means per year?
 Under 1 million
 1 to 6 million
 Over 6 million

 We provide hosting, processing, or related services for other companies that rely on us for PCI compliance.
 Our customers' credit card information has been accessed by an unauthorized party.
 We have at least one credit card number stored in a computer system (even if not currently used), storage media (including backup tapes, hard drives, USB drives, remote backups, etc.), or any other electronic means.
 We accept payments through at least one website
 The tool(s) and/or service(s) that we use to process payments for card-not-present (e-commerce, mail, or telephone) payments are never used for payments received in person.
 We do not store, process, or transmit any credit card information through our own systems (check this box if the only transmission is through the telephone, PCI-compliant payment processors, stand-alone terminals, virtual terminal websites, or third-party web payment processors in an iframe redirected through a link on your site).
 We accept payments through the phone
 We accept mail order payments
 We accept payments through paper-only imprint machine
 We have at least one hardware payment terminal, PIN entry device, or credit card processing machine
 We process our credit card payments through a virtual payment terminal on an Internet web site.
 We use a Secure Card Reader (SCR) like Square that isn't on the P2PE list. (Verify your device on the P2PE list here)
 We have a point of sale system or other payment application that receives or processes credit card numbers on a computer that also has access to the Internet.
 We use a PCI-certified Point-to-point encryption (P2PE) solution like Clover, PayPal Here, or BlueFin QuickSwipe and have implemented all the controls in the P2PE Instruction Manual (PIM). (Verify your device on the P2PE list here)




 Contact me about PCI compliance support
 Subscribe me to the ThreeShield security update newsletter


Your SAQ

Businesses with fewer than 6 million Visa or Master Card transactions per year, you may be able to reduce your PCI requirements -- especially if you don't store credit card numbers.

FULL PCI
When is it required?:
  • Over 6 million Visa or Mastercard transactions/year
or
  • After a data breach
Requirements:
  • All PCI-DSS Requirements
  • Report on Compliance
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Multi-Factor Authentication
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Annual penetration testing.
  • Firewall and other network security requirements
  • Encrypted connections inside and outside of the company

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ D
(Service Providers)
Who can use it?:
All service providers with under 6 million Visa or Master Card transactions that cannot otherwise reduce their PCI compliance requirements.
Requirements: 348 requirements, including:
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Multi-Factor Authentication
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Annual penetration testing.
  • Firewall and other network security requirements
  • Encrypted connections inside and outside of the company

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ D
(Merchants)
Who can use it?:
All merchants with under 6 million Visa or Master Card transactions that cannot otherwise reduce their PCI compliance requirements.
Requirements: 331 requirements, including:
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Multi-Factor Authentication
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Annual penetration testing.
  • Firewall and other network security requirements
  • Encrypted connections inside and outside of the company

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ C
Who can use it?:
Merchants with payment application systems connected to the Internet without electronic cardholder data storage.
Although Square does not usually request evidence of PCI compliance until a breach occurs, Square customers seeking evidence of PCI compliance for banks and insurance use SAQ C.
Do not use SAQ C if you only accept payments through ecommerce.
Requirements: 161 requirements, including:
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Multi-Factor Authentication
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Annual penetration testing.
  • Firewall and other network security requirements
  • Encrypted connections inside and outside of the company

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ C-VT
Who can use it?:
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Do not use SAQ C-VT if you accept payments through ecommerce or any other means.
Requirements: 85 requirements, including:
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Multi-Factor Authentication
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Annual penetration testing.
  • Firewall and other network security requirements
  • Encrypted connections inside and outside of the company

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ B-IP
Who can use it?:
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.
Do not use SAQ B-IP if you only accept payments through ecommerce.
Requirements: 88 requirements, including:
  • Quarterly vulnerability scans from an approved scanning vendor
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ P2PE
Who can use it?:
Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Do not use SAQ B-IP if you only accept payments through ecommerce.
Requirements: 33 requirements, including:
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ A-EP
Who can use it?:
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.
Only use SAQ A-EP if you accept payments through ecommerce.
Requirements: 192 requirements, including:
  • Basic computer security security
  • Basic access management
  • Classifying media by sensitivity
  • Securing electronic and paper media containing cardholder data
  • Tracking any sensitive media sent by courier
  • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.
  • Quarterly vulnerability scans from an approved scanning vendor
  • Annual penetration testing.
  • Firewall and other network security requirements

Required PCI Documents:
Documents available at https://www.pcisecuritystandards.org/document_library
Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
SAQ B
Who can use it?:
Merchants using only:
  • Imprint machines with no electronic cardholder data storage, and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
    Do not use SAQ B if you accept payments through ecommerce.
  • Requirements: 40 requirements, including:
    • Classifying media by sensitivity
    • Securing electronic and paper media containing cardholder data
    • Tracking any sensitive media sent by courier
    • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.

    Required PCI Documents:
    Documents available at https://www.pcisecuritystandards.org/document_library
    Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.
    SAQ A
    Who can use it?:
    Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    Do not use SAQ A if you only accept payments in person.
    Requirements: 22 requirements, including:
    • Basic computer security security
    • Basic access management
    • Classifying media by sensitivity
    • Securing electronic and paper media containing cardholder data
    • Tracking any sensitive media sent by courier
    • Documenting and implementing PCI-compliant policies and procedures and maintaining records of vendors that may affect credit card data.

    Required PCI Documents:
    Documents available at https://www.pcisecuritystandards.org/document_library
    Calgary-based ThreeShield will complete and/or verify your required PCI documentation and ensure that your executive attestations are accurate. Click here to get started today.

    Could you use PCI support?

    GET STARTED TODAY