SAQ Requirements Mapping
Mapping of PCI DSS requirements to Self-Assessment Questionnaire (SAQ) types
SAQ Requirements Mapping
Overview
Different Self-Assessment Questionnaires (SAQs) apply to different merchant environments. This appendix shows which PCI DSS requirements apply to each SAQ type.
SAQ Types and Applicable Requirements
| Requirement | SAQ A | SAQ A-EP | SAQ B | SAQ B-IP | SAQ C | SAQ C-VT | SAQ D |
|---|---|---|---|---|---|---|---|
| 1: Network Security | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 2: Secure Configs | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 3: Protect Stored Data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 4: Encryption | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 5: Malware Protection | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 6: Secure Systems | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 7: Access Control | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 8: Authentication | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 9: Physical Security | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 10: Logging | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 11: Testing | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| 12: Security Policy | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Notes
- SAQ A: For card-not-present merchants (e-commerce/mail/telephone)
- SAQ A-EP: For e-commerce merchants outsourcing payment processing
- SAQ B: For merchants using only imprint machines or standalone dial-out terminals
- SAQ B-IP: For merchants using standalone IP-connected terminals
- SAQ C: For merchants with payment application systems connected to the Internet
- SAQ C-VT: For merchants using virtual terminals
- SAQ D: For all other merchants and service providers