PCI DSS – SAQ and Attestation of Compliance

Choice the good SAQ for your business

pciI had checked on the PCI SSC web site how to build and run compliance PCI without standard AOC for a merchants and small providers in self evaluating. Great news it’s possible but there are multiple version of the PCI DSS SAQ to meet various payment acceptance scenarios. Remember the PCI DSS SAQ is a validation tool for merchants and service providers not required to submit an on-site data security assessment Report of Compliance. The famous ROC.


Merchants should consult with acquirer (Merchant Bank) or payment brand (scheme) to determine if they are eligible or required to submit an SAQ, and which SAQ is appropriate for their environment

Source : PCI SSC Web site

On the follow table, I explain the different SAQ (Self-Assessment Questionnaire) possibilities.


SAQ Description
Card-not-Present (E-Commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers.This would never apply to face-to-face merchants
Imprint-only-merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
Merchants using only web-based virtual payments terminals, no electronic cardholder data storage
Merchants with segmented payment application systems connected to the internet, no electronic cardholder data storage
All other merchants (no included in description for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ

Enjoy your self Assessment PCI DSS 🙂