Your selected question
I am a level 2 (or 3 or 4) merchant and I find it difficult to understand which PCI DSS self assessment questionnaire (SAQ) to complete, can you help?
Barclaycard is not an accredited QSA, and as such is not allowed to provide customers with any advice concerning which SAQ they should fill in. Customers take full responsibility for which SAQ they choose to complete; they should always ensure that they can complete the eligibility section of the applicable SAQ.
However, the table below may offer you some insight (nb: the latest version of the SAQ on the PCI security standards website should be used):
|
Merchant card processing/ storage type |
SAQ Type |
Nbr of questions |
Is a Network Scan Required? |
|
ePDQ CPI |
A |
13 |
No |
|
PDQ Card Present only |
B |
29 |
No |
|
PDQ Card Present plus mail/telephone order Paper only |
B |
29 |
No |
|
Card Not Present - paper only, uses PDQ |
B |
29 |
No |
|
ePDQ Lite (Virtual Terminal) paper only |
C-VT |
51 |
No |
|
ePDQ CPI + ePDQ Lite (Virtual Terminal) paper only |
C-VT |
51 |
No |
|
IP PDQ Terminal isolated/segmented from rest of merchants network |
C |
80 |
Yes Office Internet Connection |
|
Card Not Present - paper only, processed using a Virtual Terminal |
C-VT |
51 |
No |
|
ePDQ MPI no electronic storage |
C |
80 |
Yes Office Internet Connection and website scan required |
|
ePDQ CPI + ePDQ Lite (Virtual Terminal) electronic storage |
D |
298 |
Yes Office Internet Connection and recommended on website |
|
ePDQ Lite (Virtual Terminal) electronic storage |
D |
298 |
Yes Office Internet Connection |
|
IP PDQ Terminal on shared Network electronic storage |
D |
298 |
Yes Office Internet Connection |
|
PDQ Card Present plus mail/telephone order electronic storage |
D |
298 |
Yes Office Internet Connection |
|
Card Not Present - electronic storage, uses PDQ |
D |
298 |
Yes Office Internet Connection |
|
Card Not Present - electronic storage, processed using a Virtual Terminal |
D |
298 |
Yes Office Internet Connection |
|
ePDQ MPI electronic storage |
D |
298 |
Yes Website and Office Internet Connection + Hosting Company must be compliant |
Whilst the PCI DSS does not always require a merchant's website to be scanned Barclaycard advises that it is good practice to do so regardless of what card processing method is used.
Barclaycard recommends Level 4 merchants take advantage of the free needs analysis that SecurityMetrics provides by calling them on 0844 561 1662 *. Then you may register with them for their services or obtain the questionnaire from the PCI security standards website www.pcisecuritystandards.org and complete it yourself.
*View call charge information from Business landlines within the UK.
How useful did you find the answer given?
Not at all Very useful