SAQ validation type

Description

A

Card-not-present (e-commerce or mail/telephone order) merchants that outsource all cardholder functions and have no direct control over storing, processing or transmitting cardholder data. All payment pages originate from third parties. This never applies to face-to-face merchants.

A-EP

Partially outsourced e-commerce merchants, using a third-party website for payment processing. The merchant’s website only controls how cardholder data is redirected to a third-party payment processor. No electronic storage, processing or transmission of CHD. Only applies to e-commerce channels.

B

Imprint only or standalone, dial-out (via a phone line) terminal merchants. No transmission of cardholder data over data networks, no electronic storage of CHD. Not applicable to e-commerce channels.

B-IP

Merchants with standalone IP-connected, PTS-approved terminals, the only transmission is from the terminal to the payment processor (isolated connection), no electronic storage of cardholder data. Not applicable to e-commerce channels.

C

Merchants with payment applications connected to the Internet, but isolated from the rest of the environment. The physical location of the POS is not connected to other locations (single LAN only). No electronic storage of cardholder data. Not applicable to e-commerce channels.

C-VT

Merchants with web-based virtual payment terminals in which the virtual terminal system is isolated from the rest of the environment. No attached card readers and no electronic storage of cardholder data. Not applicable to e-commerce channels.

D (Merchants)

All other SAQ-eligible merchants that do not meet the criteria for any other SAQ.

D (Service Providers)

All SAQ-eligible service providers.

P2PE-HW

Merchants using hardware payment terminals in a PCI-listed P2PE solution. No electronic cardholder data storage, no electronic processing or transmission of cardholder data outside of the P2PE solution. Not applicable to e-commerce channels.