According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below and described in more detail in the following paragraphs. Use the table to gauge which SAQ applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ.
SAQ Validation Type |
Description |
SAQ: Select the appropriate link below. |
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
|
2 |
Imprint-only merchants with no electronic cardholder data storage |
|
3 |
Stand-alone terminal merchants, no electronic cardholder data storage |
|
4 |
Merchants with POS systems connected to the Internet, no electronic cardholder data storage |
|
5 |
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. |