Frequently Asked Question
What is the intent of the SAQ eligibility criteria?
Each Self-Assessment Questionnaire (SAQ) was created to support a specific type of environment, depending on how the entity stores, processes, and/or transmits cardholder data. All SAQs (except for SAQ D) are intended for merchants with less complex environments, and each SAQ defines specific criteria that must be met in order to be eligible to use that SAQ. For example; SAQ B-IP is intended for environments using only PTS-approved point-of-interaction (POI) devices (excludes SCRs), SAQ C-VT for environments using only web-based virtual payment terminals on a personal computer, and SAQ C for environments using only payment application systems (for example, point-of-sale systems) connected to the Internet. In accordance with payment brand compliance programs, entities that meet all eligibility criteria for a particular SAQ may then assess and validate to the subset of PCI DSS requirements included within that SAQ.
In order for a merchant environment to meet SAQ eligibility criteria, only system types defined in the eligibility criteria may be used in that environment. Additionally, these SAQs explicitly state that the defined system type must not be connected to any other systems, and that segmentation may be used to isolate the permitted system type from all other systems*.
The SAQ criteria is not intended to prohibit more than one of the permitted system types being on the same network zone, as long as the permitted systems are all isolated from other types of systems (e.g. by implementing network segmentation). For example, an environment eligible for SAQ B-IP may have more than one PTS-approved POI device on a network that does not contain any other type of system. Similarly, SAQ C merchants may have more than one point-of-sale system on the same local network.
The intent of this criteria is to ensure that the environment is properly scoped and is suitable for validation against the subset of PCI DSS requirements contained in the SAQ. Environments containing any other types of systems would not be eligible for the particular SAQ, as they would likely be subject to different and/or additional PCI DSS requirements than those included in the SAQ.
Merchants should always consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.
* This criteria is not intended to prevent the defined system type from being able to transmit transaction information to a third party for processing, such as an acquirer or payment processor, over a network.
Related
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
-
What is the completion date for PCI DSS assessments documented in a Self-Assessment Questionnaire and its related Attestations of Compliance?
-
How does PCI DSS Requirement 6.4.3 apply to 3DS scripts called from a merchant check-out page as part of 3DS processing?
Most Recently Updated
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
What is meant by "At-Risk Timeframe" and at risk referenced in the Final PFI Report?
-
Does PCI DSS Requirement 8.2.2 allow users to share authentication credentials?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?