Click here for a free PCI scan from ControlScan

PCI SAQ – Forms and Validation Types

If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

Please refer to the table below to help you determine which SAQ form you will need to complete and whether or not you require Network Security Scans to fulfill your PCI compliance requirements.

SAQ Validation Type	SAQ Form	Description	Scan Required?
1	A	Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsources. Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service providers to handle these functions The third party service providers handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant Merchant retains only paper reports or receipts with cardholder data, and such documents are not received electronically Merchant does not store any cardholder data in electronic format	NO
2	B	Imprint-only merchants with no electronic cardholder data storage Merchant uses only an imprint machine to imprint customers' payment card information and does not transmit cardholder data over either a phone line or the Internet Merchant retains only paper reports or paper copies of receipts Merchant does not store any cardholder data in electronic format	NO
3	B	Stand-alone dial-up terminal merchants, no electronic cardholder data Merchant uses only standalone, dial-up terminals; and these terminals are not connected to the Internet or any other systems within the merchant environment Merchant retains only paper reports or paper copies of receipts Merchant does not store any cardholder data in electronic format	NO
4	C	Merchants with payment application systems connected to the Internet, no electronic cardholder data storage Merchant has a payment application system and an Internet or public network connection on the same device The payment application system/Internet device is not connected to any other system within the merchant environment Merchant retains only paper reports or paper copies of receipts Merchant does not store cardholder data in electronic format Merchant's payment application software vendor uses secure techniques to provide remote support to merchant's payment application system	YES
5	D	All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ All other merchants (not included in descriptions above) and all service providers defined by a payment brand as eligible to complete an SAQ	YES

Quick Links

Increase your merchants' PCI Compliance rates