Documentation
Support
In this article
How the Manual Process Exceptions Affect SAQ Selection
Home

Understanding SAQ Types for PCI DSS 4.0

Edited

The Self-Assessment Questionnaire (SAQ) is a validation tool for merchants not required to undergo an on-site assessment. The type of SAQ you complete depends entirely on how you handle payment card data. Let me explain each type in more detail:

SAQ A - Simplest assessment for businesses that:

  • Have fully outsourced all payment processing

  • Use only third-party payment pages (like PayPal, Stripe Checkout)

  • Don't store, process, or transmit cardholder data on their systems

  • Have fewer requirements (about 24 in PCI DSS 4.0)

SAQ A-EP - For e-commerce merchants that:

  • Don't directly receive cardholder data but their website affects security

  • Use iFrames or direct post methods where their website loads the payment form

  • Have more responsibility for securing their website (about 193 requirements)

SAQ B - For merchants using:

  • Standalone, non-IP connected payment terminals

  • No electronic cardholder data storage

  • Includes imprint machines or standalone dialup terminals

  • Moderate number of requirements (about 59)

SAQ B-IP - For merchants using:

  • Standalone, IP-connected payment terminals

  • No electronic cardholder data storage

  • More requirements than SAQ B (about 82) due to network considerations

SAQ C-VT - For merchants that:

  • Manually enter transactions via web-based virtual terminals

  • No electronic storage of cardholder data

  • Virtual terminal provided by a PCI DSS compliant service provider

  • Moderate requirements (about 158)

SAQ P2PE - For merchants using:

  • Validated Point-to-Point Encryption solutions

  • No access to decryption keys or ability to decrypt data

  • Reduced requirements (about 35) due to the security of P2PE

SAQ D - The most comprehensive self-assessment for merchants that:

  • Store, process, or transmit cardholder data on their systems

  • Have e-commerce sites that collect payment data

  • Use integrated payment applications

  • Process MOTO (mail order/telephone order) payments

  • All requirements apply (about 300+)

How the Manual Process Exceptions Affect SAQ Selection

For the scenarios you mentioned in your initial request:

  • A retailer using managed devices but falling back to paper during outages

  • A concert venue with managed POS but occasional manual card processing

  • A veterinary clinic manually entering cards

These would likely require SAQ D due to the manual processes involved, even if they're rare exceptions. This is because when staff manually handle cardholder data in any form, the business becomes responsible for protecting that data throughout its lifecycle.

However, this is precisely where Bento Security can provide value - by helping these businesses implement practical, targeted controls for these exception scenarios and conducting a proper scoping exercise to minimize compliance burden where possible.