Choice the good SAQ for your business
I had checked on the PCI SSC web site how to build and run compliance PCI without standard AOC for a merchants and small providers in self evaluating. Great news it’s possible but there are multiple version of the PCI DSS SAQ to meet various payment acceptance scenarios. Remember the PCI DSS SAQ is a validation tool for merchants and service providers not required to submit an on-site data security assessment Report of Compliance. The famous ROC.
Merchants should consult with acquirer (Merchant Bank) or payment brand (scheme) to determine if they are eligible or required to submit an SAQ, and which SAQ is appropriate for their environment
Source : PCI SSC Web site
On the follow table, I explain the different SAQ (Self-Assessment Questionnaire) possibilities.
|Card-not-Present (E-Commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers.This would never apply to face-to-face merchants|
|Imprint-only-merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage|
|Merchants using only web-based virtual payments terminals, no electronic cardholder data storage|
|Merchants with segmented payment application systems connected to the internet, no electronic cardholder data storage|
|All other merchants (no included in description for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ|
Enjoy your self Assessment PCI DSS 🙂