SAQ A, SAQ B, and SAQ C-VT Which self-assessment questionnaire do you need?

SAQ A, SAQ B, and SAQ C-VT Which self-assessment questionnaire do you need?

If you are reading this post, you probably know what an SAQ is but want to learn more, so keep reading and we will clear up your doubts. SAQs (Self-Assessment Questionnaires) are self-assessment questionnaires that are part of the PCI DSS (Payment Card Industry Data Security Standard). Their purpose is to help merchants and service providers verify their level of compliance with the security controls established in PCI DSS to protect payment card data. Depending on how the merchant handles card data, they must complete the SAQ that best fits their environment.

But how do each type of SAQ differ, and which one is right for your organization? Let's take a closer look and tell you what they are, who should use them, and the highlights of the three most common ones: SAQ A, SAQ B, and SAQ C-VT.

SAQ A – For merchants that do not process or store card data

  • Online stores that redirect customers to a secure payment gateway.
  • Websites that use iFrames or forms hosted by the provider (Stripe, Shopify, PayPal, etc.).
  • Merchants that never have access to card data, even temporarily.

SAQ B – For merchants with standalone terminals without an IP connection

This self-assessment questionnaire applies to merchants who use physical terminals to process cards, but without an internet or IP network connection. The device is completely autonomous and does not store data.

Who should use it?

  • Physical stores that accept payments via traditional card readers connected to a telephone or cellular network (GPRS).
  • Businesses without computers or software involved in the payment process.

This SAQ is ideal for very small businesses with simple local operations.

SAQ C‑VT – For merchants who manually enter card data

This SAQ is designed for businesses that receive card data by phone, email, or in person, and manually enter it into a secure web portal provided by a payment platform.

Who should use it?

  • Call centers or telephone support.
  • Merchants who make manual sales through a computer dedicated exclusively to payments, without other programs or open browsing.

Selecting the correct SAQ is crucial to ensuring PCI DSS v4.0.1 compliance and protecting your customers' information. If you have any questions, please ask us! We will be happy to help you, provide you with the information you need, and accompany you through your certification process.