PCI DSS V3.0 SAQs Overview

PCI DSS V3.0
SAQs Overview
(including Prioritised Approach)
Requirement 1
Install and maintain a firewall configuration to protect data
SAQ A
(14 Controls)
Card-not-present Merchants, All Cardholder
Data Functions Fully Outsourced
SAQ P2PE-HW
(35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B
(41 Controls)
Merchants with Only Imprint Machines or 
Only Standalone, Dial-out Terminals— 
No Electronic Cardholder Data Storage
SAQ C-VT
(74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.4
1.3.5
1.3.6
1.4
1.4 (a)(b)
SAQ B-IP
(83 Controls)
Merchants with Standalone, IP-Connected 
PTS Point-of-Interaction (POI) Terminals – 
No Electronic Cardholder Data Storage
1.1
1.1.1 (a)(b)
1.1.4 (a)(b)
1.1.6 (a)(b)
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.4
1.3.5
1.3.6
SAQ A-EP
(139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
1.1
1.1.4 (a)(b)
1.1.6 (a)(b)
1.2
1.2.1 (a)(b)
1.3
1.3.4
1.3.5
1.3.6
1.3.8 (a)(b)
SAQ C
(139 Controls)
Merchants with Payment Application Systems 
Connected to the Internet—
No Electronic Cardholder Data Storage
1.2
1.2.1 (a)(b)
1.2.3
1.3
1.3.3
1.3.5
1.3.6
SAQ D-M
(330 Controls)
All other SAQ-Eligible Merchants
1.1
1.1.1
1.1.2 (a)(b)
1.1.3 (a)(b)
1.1.4 (a)(b)
1.1.5
1.1.6 (a)(b)
1.1.7 (a)(b)
1.2
1.2.1 (a0(b)
1.2.2
1.2.3
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8 (a)(b)
1.4
1.4 (a)(b)
1.5
SAQ D-SP
(349 Controls)
SAQ-Eligible Service Providers
1.1
1.1.1
1.1.2 (a)(b)
1.1.3 (a)(b)
1.1.4 (a)(b)
1.1.5
1.1.6 (a)(b)
1.1.7 (a)(b)
1.2
1.2.1 (a0(b)
1.2.2
1.2.3
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8 (a)(b)
1.4
1.4 (a)(b)
1.5
Requirement 2
Do not use vendor-supplied defaults for system passwords and other security parameters
SAQ A
(14 Controls)
Card-not-present Merchants, All Cardholder
Data Functions Fully Outsourced
SAQ P2PE-HW
(35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
SAQ B (41 Controls)
Merchants with Only Imprint Machines or 
Only Standalone, Dial-out Terminals— 
No Electronic Cardholder Data Storage
SAQ C-VT
(74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)(e)
SAQ B-IP
(83 Controls)
Merchants with Standalone, IP-Connected 
PTS Point-of-Interaction (POI) Terminals – 
No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.3
2.3 (a)(b)(c)(d)(e)
SAQ A-EP
(139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
2.1
2.1 (a)(b)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
SAQ C
(139 Controls)
Merchants with Payment Application Systems 
Connected to the Internet—
No Electronic Cardholder Data Storage
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.5
SAQ D-M
(330 Controls)
All other SAQ-Eligible Merchants
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.4
2.4 (a)(b)
2.5
SAQ D-SP
(349 Controls)
SAQ-Eligible Service Providers
2.1
2.1 (a)(b)
2.1.1 (a)(b)(c)(d)(e)
2.2
2.2 (a)(b)(c)(d)
2.2.1 (a)(b)
2.2.2 (a)(b)
2.2.3
2.2.4 (a)(b)(c)
2.2.5 (a)(b)(c)
2.3
2.3 (a)(b)(c)(d)
2.4
2.4 (a)(b)
2.5
2.6
Requirement 3
Protect stored cardholder data
SAQ A
(14 Controls)
Card-not-present Merchants, All Cardholder
Data Functions Fully Outsourced
SAQ P2PE-HW
(35 Controls)
Hardware Payment Terminals in a PCI-Listed P2PE Solution Only – No Electronic Cardholder Data Storage
3.3
3.7
3.1
3.1 (a)(b)(c)(d)(e)
3.2
3.2.2
3.3
SAQ B
(41 Controls)
Merchants with Only Imprint Machines or 
Only Standalone, Dial-out Terminals— 
No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
3.3
SAQ C-VT
(74 Controls)
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.2
3.2.3
SAQ B-IP
(83 Controls)
Merchants with Standalone, IP-Connected 
PTS Point-of-Interaction (POI) Terminals – 
No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
SAQ A-EP
(139 Controls)
Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
3.2
3.2 (c)(d)
3.2.2
3.2.3
SAQ C
(139 Controls)
Merchants with Payment Application Systems 
Connected to the Internet—
No Electronic Cardholder Data Storage
3.2
3.2 (c)(d)
3.2.1
3.2.2
3.2.3
3.3
SAQ D-M
(330 Controls)
All other SAQ-Eligible Merchants
3.1
3.1 (a)(b)(c)(d)(e)
3.2
3.2 (a)(b)(c)(d)
3.2.1
3.2.2
3.2.3
3.3
3.4
3.4.1 (a)(b)(c)
3.5