CHOOSETHECORRECTSAQ.COM
Welcome to ChooseTheCorrectSAQ.com!
This tool is designed to help businesses and PCI assessors determine the appropriate Self-Assessment Questionnaire (SAQ) for their specific PCI DSS compliance needs. By answering a few simple questions, you'll be guided to the SAQ that best fits your business scenario. We aim to simplify complex technical terms, making the PCI DSS compliance process more understandable and accessible.

Always refer to qualified individuals or the PCI Security Standards Council for the official SAQ documentation.

Let's get started!

Are you a service provider as defined by a payment brand?

A Service Provider is a Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.

Examples include
Managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

Do you operate primarily in e-commerce or mail/telephone order channels?

If you also manually enter card details into a terminal in person (like in the case of SAQ C-VT)or If your business accepts card payments in person in addition to these please choose 'No'.

Have you completely outsourced all payment processing for e-commerce or mail/telephone order to third parties?

Examples include
Merchants whose websites either redirect customers entirely to a third-party website for payment or use iframes provided by a third-party for card data collection.
An iframe like a 'window' on the payment page that shows content from another secure site, allowing customers to input their card details safely.

Does your website impact the security of the payment transaction, even though it doesn't handle card data directly?

Examples include
Merchants who employ technologies such as JavaScript widgets or Direct Post methods on their e-commerce websites. These methods allow merchants to collect or facilitate the payment process without directly processing cardholder data on their servers. For instance, a JavaScript widget might collect payment information within a form on the merchant's site but then securely send the data to a third-party processor, whereas the Direct Post method sends payment details directly from the customer's browser to the payment gateway, bypassing the merchant's server.

Do you use another type of e-commerce system that doesn't fit the above descriptions?

Do you operate in face-to-face channels?

Do you accept card payments in person, where the customer physically hands you their card?

Do you only use imprint machines or standalone dial-out terminals for card payments?

Examples include
A Business Owner that runs a small shop and swipes or dips their customers' cards using a machine that works over a regular phone line, like older credit card machines that make a call for each transaction.

A Business Owner that makes a physical imprint of your customers' credit cards using a flatbed imprinter (those old "clunk-clunk" machines).

Do you use standalone payment terminals connected to the internet?

Examples include
Businesses using a card payment machine (terminal) that connects directly to the internet for processing transactions, but it operates independently and isn't integrated with other systems like a cash register or a broader point-of-sale system.

Do you manually enter payment data for each transaction into an online system?

Examples include
A Business Owner who takes phone orders, and after hanging up, they go to your computer, open up a specific website or application provided by their bank or payment processor, and manually type in the customer's card details for each transaction.

Do you use an integrated payment application connected to the internet?

Examples include
Businesses where the card processing functionality is integrated into a larger system, such as a point-of-sale system that includes a cash register, inventory management, etc. This typically means the card reader/swiper is directly connected to a computer or POS system that handles multiple functions, including payment processing.

Do you exclusively use a Point-to-Point Encryption solution for card payments?

Examples include
Merchants who use a validated Point-to-Point Encryption (P2PE) solution for their payment processing.

Do you use a mobile device (e.g., phone or tablet) with a secure card reader for card payments?

Examples include
Merchants that utilize commercial off-the-shelf mobile devices, such as smartphones or tablets.These devices are equipped with a secure card reader that's included on the PCI SSC's list of validated SPoC Solutions.

For all other scenarios or if unsure about the above categories, select either.

Note: This tool is provided as a guide to help you select the appropriate SAQ. Always refer to the official PCI DSS documentation or consult with a qualified security professional to ensure the accurate determination of your SAQ type. For the official SAQ document, please visit the PCI Security Standards Council's website.