PCI SAQs

If you process under 6 million Visa or MasterCard transactions per year, you may be able to file a "Self-Assessment Questionnaire" (SAQ) to meet Payment Card Industry (PCI) requirements. Recently, PCI made a change that allows merchants to complete multiple SAQs for different payment methods instead of defaulting to SAQ D.

Most companies need external support to meet -- and ensure compliance with -- the SAQ requirements. This tool helps you to understand which SAQ(s) apply to your business and provides links to their contents so you can decide if you would like to contact ThreeShield to support your PCI compliance requirements.

PCI SAQ Selector

Check any of the following that apply to you and we'll make sure you get the right SAQ and provide advice to reduce your PCI requirements:

How many Visa or MasterCard (whichever is higher) transactions do you process through a website per year?
none
 1 to 19,999
 20,000 to 1 million
 1 to 6 million
 over 6 million

How many Visa or MasterCard (whichever is higher) transactions do you process through any means per year?
 Under 1 million
 1 to 6 million
 Over 6 million

 We provide hosting, processing, or related services for other companies that rely on us for PCI compliance.
 Our customers' credit card information has been accessed by an unauthorized party.
 We have at least one credit card number stored in a computer system (even if not currently used), storage media (including backup tapes, hard drives, USB drives, remote backups, etc.), or any other electronic means.
 We accept payments through at least one website

 The tool(s) and/or service(s) that we use to process payments for card-not-present (e-commerce, mail, or telephone) payments are never used for payments received in person.
 We do not store, process, or transmit any credit card information through our own systems (check this box if the only transmission is through the telephone, PCI-compliant payment processors, stand-alone terminals, virtual terminal websites, or third-party web payment processors in an iframe redirected through a link on your site).

 We fully outsource our payment forms on a separate page that opens when my customers click a button/link on our page, in an iframe on our website, or in a completely separate shopping cart that they host. Do not check this box if you host any part of the outsourced page (including logos, styles, etc).

 We accept payments through the phone

 We fully outsource our telephone payments to a PCI-certified company that receives payment information over the phone after we transfer the call to them or our customers call them directly.

 We accept mail order payments
 We accept payments through paper-only imprint machine
 We have at least one hardware payment terminal, PIN entry device, or credit card processing machine

 We have at least one payment terminal that uses a telephone line (no network connection)
 We have at least one approved credit card machine/PIN pad that uses a network/Internet connection without a telephone line. (Click here to check if your devices are approved.

 Our Internet-connected payment device is on a segregated network that doesn't include any computers other than the payment device.
 Our credit card machines do not rely on any other devices (computer, mobile phone, tablet, etc) to connect to the payment processor.

 We process our credit card payments through a virtual payment terminal on an Internet web site.

 The computer we use to access the virtual terminal website is on a segregated network that doesn't include any computers other than the payment device.
 Our credit cards are processed as we enter them and we don't store any credit card data for batch processing or forwarding.
 We haven't connected any card readers or other hardware that can capture or store credit card information to the computer that we use to access the website that processes credit cards.
 We don't transmit cardholder data through any other electronic network other than to the virtual terminal website.

 We use a Secure Card Reader (SCR) like Square that isn't on the P2PE list. (Verify your device on the P2PE list here)

 Our SCR is connected to our Internet-connected payment terminal(s).

 We have a point of sale system or other payment application that receives or processes credit card numbers on a computer that also has access to the Internet.

 The computer with our payment application and access to the Internet is on a segregated network that doesn't include any computers without the payment application.
 The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only.

 We use a PCI-certified Point-to-point encryption (P2PE) solution like Clover, PayPal Here, or BlueFin QuickSwipe and have implemented all the controls in the P2PE Instruction Manual (PIM). (Verify your device on the P2PE list here)

 The only systems that store, process, or transmit credit card information are the point of interaction devices approved for use with the P2PE solution.
 We have verified that no old systems, backups, or other systems (other than the P2PE Point of interaction device) contain credit card information.
 At least 75% of our yearly transactions are processed through a point-to-point encryption solution with tap and chip enabled in the United States.

Name:
Email:
Phone:
 Contact me about PCI compliance support
 Subscribe me to the ThreeShield security update newsletter

Your SAQ