Frequently Asked Questions

< Back to search page

What is the intent of the SAQ eligibility criteria?

FAQ Response

Each Self-Assessment Questionnaire (SAQ) was created to support a specific type of environment, depending on how the entity stores, processes, and/or transmits cardholder data. All SAQs (except for SAQ D) are intended for merchants with less complex environments, and each SAQ defines specific criteria that must be met in order to be eligible to use that SAQ. For example; SAQ B-IP is intended for environments using only PTS-approved point-of-interaction (POI) devices (excludes SCRs), SAQ C-VT for environments using only web-based virtual payment terminals on a personal computer, and SAQ C for environments using only payment application systems (for example, point-of-sale systems) connected to the Internet. In accordance with payment brand compliance programs, entities that meet all eligibility criteria for a particular SAQ may then assess and validate to the subset of PCI DSS requirements included within that SAQ.

In order for a merchant environment to meet SAQ eligibility criteria, only system types defined in the eligibility criteria may be used in that environment. Additionally, these SAQs explicitly state that the defined system type must not be connected to any other systems, and that segmentation may be used to isolate the permitted system type from all other systems*.

The SAQ criteria is not intended to prohibit more than one of the permitted system types being on the same network zone, as long as the permitted systems are all isolated from other types of systems (e.g. by implementing network segmentation). For example, an environment eligible for SAQ B-IP may have more than one PTS-approved POI device on a network that does not contain any other type of system. Similarly, SAQ C merchants may have more than one point-of-sale system on the same local network.

The intent of this criteria is to ensure that the environment is properly scoped and is suitable for validation against the subset of PCI DSS requirements contained in the SAQ. Environments containing any other types of systems would not be eligible for the particular SAQ, as they would likely be subject to different and/or additional PCI DSS requirements than those included in the SAQ.

Merchants should always consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

 

* This criteria is not intended to prevent the defined system type from being able to transmit transaction information to a third party for processing, such as an acquirer or payment processor, over a network.

November 2016
Article Number 1443