Merchant Type

The Payment Card Industry's Data Security Standards requires Level 2-4 merchants to annually complete a Self Assessment Questionnaire (SAQ). The SAQ you are required to complete is determined by how you process credit cards and how your credit card processing systems are configured.

There are five validation types and four SAQs. The Validation Types are numeric, but not related to the Merchant Level. The SAQs are referenced by letter (A-D), with D being the most comprehensive questionnaire. The following table illustrates the various types. The second table allows you to determine which questionnaire is correct for you.

Type Description
A This is for a card-not-present merchant (eCommerce or catalogue order) that outsources all of their credit card servicing.
B This is for a card-present merchant (not eCommerce or catalogue order) that only uses imprint or direct phone for credit card servicing.
C This is for a merchant that services their credit card using a computer connected to the Internet but not their internal network.
D This is for everyone else (e.g., credit card servicing computer is connected to their internal network).

You can use the questions below to determine the appropriate SAQ.

# Statement TRUE FALSE
1 You do not store any cardholder data in electronic format.
2 Any cardholder data that you store is only paper reports or receipts and is not received electronically.
3 You do not store, process, or transmit any cardholder data on your premises.
4 You rely completely on third-party service providers to handle and process all credit cards.
5 The third-party service provider(s) is confirmed to be PCI-DSS compliant.
6 You only use an imprint machine to obtain cardholder data and do not transmit the cardholder data over either a phone line or the Internet.
7 You only use a standalone, dial-up terminal(s) to capture the cardholder data; and those terminals are not corrected to the Internet or any other system within the merchant environment.
8 You have a payment application system and an Internet or other public network connection on the same device or system.
9 The payment application system is not connected to any other system within the merchant environment.
10 Your payment application software vendor uses secure techniques to provide remote support to the application system.
More questions need to be answered before the SAQ Type can be determined.

Daly Realism can help you fill out your self-validation form and design and implement your remediation efforts. A free basic self assessment questionaire is provided. This highlights areas that frequently cause problems and provide some advice for remediation.