Document Comparison

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.1

A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant’s systems or premises.

SAQ A merchants may be either e-commerce or mail/telephone- order merchants (card-not-present) and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.

 Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;  All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers;  Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;  Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and  Your …

 Your company accepts only e-commerce transactions;  All processing of cardholder data, with the exception of the payment page, is entirely outsourced to a PCI DSS validated third-party payment processor;  Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;  If merchant website is hosted by a third-party provider, the provider is validated to all applicable PCI DSS requirements (e.g., including …

 Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  The standalone, dial-out terminals are not connected to any other systems within your environment;  The standalone, dial-out terminals are not connected to the Internet;  Your company does not transmit cardholder data over a network (either an internal network or the Internet);  Your company retains only paper reports …

SAQ B-IP merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants, and do not store cardholder data on any computer system.

 Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information;  The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs);  The standalone, IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems);  The …

 Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;  Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;  Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation …

SAQ C merchants process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not-present) merchants.

 Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);  The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);  The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single store only; …