PCI SAQ – Forms and Validation Types
If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
Please refer to the table below to help you determine which SAQ form you will need to complete and whether or not you require Network Security Scans to fulfill your PCI compliance requirements.