This article contains information on different SAQ profiles.

The steps you need to complete to become PCI compliant depend on your self-assessment questionnaire (SAQ) profile. Below is information on the different SAQ profile types.

SAQ Profile A (Entirely Outsourced eCommerce)

eCommerce website with payments entirely outsourced. 

Customers enter their information into a website to make purchases, payments, or donations. All eCommerce pages are handled by a third party, PCI-validated service provider. 

SAQ Profile A-EP (Partially Outsourced eCommerce)

eCommerce website with payments partially outsourced. 

Customers manually enter their information into a website to make purchases, payments, or donations. A third party, PCI-validated service provider handles purchases, payments, or donations, but is passed information from the merchant website.

Information can be entered into the merchant’s website for the merchant’s website to pass to the third party, or customers can be redirected to a third party website to complete a purchase, payment, or donation.

SAQ Profile B (Standalone Imprint or Dial-out Terminals Only)

You use an imprint machine or standalone terminal not connected to the Internet with no electronic storage for cardholder data. 

SAQ Profile B-IP (Standalone IP-Connected Terminals)

You use a standalone, IP-connected terminal with no electronic storage for cardholder data. Cardholder data is also not stored on a computer. 

SAQ Profile C (Payment Application Systems Connected to the Internet)

You use Point Of Sale (POS) software, typically installed on a computer. The software usually combines with other external devices such as cash registers and terminals. The software will commonly have additional features specific to a type of business.

SAQ Profile C-VT (Web-based Virtual Terminals with Manual Entry)

You use a web browser to access a merchant services website and manually enter in information to authorize purchases, payments, or donations.

SAQ Profile D (Customer Entered Information eCommerce not Outsourced)

Customers manually enter payment information into a checkout or payment page that is not outsourced to a third party service provider.

You use a Point to Point Encryption (P2PE) solution. These solutions encrypt cardholder data at the point of interaction and are decrypted by the solution provider.

The following SAQ profiles require a quarterly website scan:

• A-EP
• B-IP
• C
• D (Merchants)
• D (Service Providers)