PCI DSS 4.0 Exam Questions With Complete Solutions
SAQ A (Who may use it)
E-commerce merchants who use a third-party to deliver all
elements of a payment page to a customer, but only if they
cannot impact the security of a payment page
Mail-order and telephone order merchants may also be eligible-
to be eligible must make sure only card-not-present transactions
are accepted and that the processing of the cardholder data is
entirely outsourced to PCI DSS validated third-party service
providers, and no cardholder data is stored electronically.
SAQ A-EP
Partially outsourced e-commerce merchants, using a third-party
website for payment processing
SAQ A-EP (Who may use it)
Designed for the scenario where the merchant website controls
how the cardholder data is redirected to the third-party service
provider
Instances where a merchant website creates a payment form
(either directly, or via a script) and the payment data is delivered
directly from the payment browser to the payment processor
SAQ B
,Used for merchants with only standalone, dial-out terminals. No
electronic cardholder data storage
SAQ B (Who may use it)
A merchant that has a physical location where card-present
transactions are accepted may be eligible for SAQ B.
Mail order and telephone order merchants may also be eligible
for SAQ B
In order to be eligible: merchants must make sure the
standalone, dial-out terminals are not connected to any other
systems within their environment, the standalone, dial-out
terminal are not connected to the internet, and no cardholder
data is stored electronically
SAQ B-IP
Merchants with stadalone, IP-connected PTS Point-of-
interaction (POI) terminals, No Electronic Cardholder Data
Storage
SAQ B-IP (Who may use it)
A merchant that has a physical location where card-present
transactions are accepted may be eligible
Mail order and telephone order merchants may also be eligible
Eligibility Requirements include: Make sure the POI devices are
validated to the PTS POI program as listed on the PCI SSC
, website, the devices are not connected to any other systems, and
the POI device does not rely on any other device to connect to
the payment processor.
SAQ C
Merchants with payment application systems connected to the
internet, no electronic cardholder data storage. E-commerce
does not apply.
SAQ C (Who may use it)
Merchants that process cardholder data via a payment
application running on a point-of-sale system, which is
connected to the internet, may be eligible for this SAQ
Eligibility Requirements include: the payment application
system and the internet connection are on the same device or
LAN, they are not connected to any other systems, and the POS
environment is not connected to other locations, and any LAN is
for a single store only.
SAQ C-VT
Merchants with web-based virtual terminals. No electronic
cardholder data storage.
SAQ C-VT (Who may use it)
Eligibility Requirements include: the virtual payment terminal
solution is provided by a PCI DSS validated third-party service
provider, access is via a computer that is isolated, and the
computer does not have software or hardware installed that
causes the cardholder data to be stored.
SAQ A (Who may use it)
E-commerce merchants who use a third-party to deliver all
elements of a payment page to a customer, but only if they
cannot impact the security of a payment page
Mail-order and telephone order merchants may also be eligible-
to be eligible must make sure only card-not-present transactions
are accepted and that the processing of the cardholder data is
entirely outsourced to PCI DSS validated third-party service
providers, and no cardholder data is stored electronically.
SAQ A-EP
Partially outsourced e-commerce merchants, using a third-party
website for payment processing
SAQ A-EP (Who may use it)
Designed for the scenario where the merchant website controls
how the cardholder data is redirected to the third-party service
provider
Instances where a merchant website creates a payment form
(either directly, or via a script) and the payment data is delivered
directly from the payment browser to the payment processor
SAQ B
,Used for merchants with only standalone, dial-out terminals. No
electronic cardholder data storage
SAQ B (Who may use it)
A merchant that has a physical location where card-present
transactions are accepted may be eligible for SAQ B.
Mail order and telephone order merchants may also be eligible
for SAQ B
In order to be eligible: merchants must make sure the
standalone, dial-out terminals are not connected to any other
systems within their environment, the standalone, dial-out
terminal are not connected to the internet, and no cardholder
data is stored electronically
SAQ B-IP
Merchants with stadalone, IP-connected PTS Point-of-
interaction (POI) terminals, No Electronic Cardholder Data
Storage
SAQ B-IP (Who may use it)
A merchant that has a physical location where card-present
transactions are accepted may be eligible
Mail order and telephone order merchants may also be eligible
Eligibility Requirements include: Make sure the POI devices are
validated to the PTS POI program as listed on the PCI SSC
, website, the devices are not connected to any other systems, and
the POI device does not rely on any other device to connect to
the payment processor.
SAQ C
Merchants with payment application systems connected to the
internet, no electronic cardholder data storage. E-commerce
does not apply.
SAQ C (Who may use it)
Merchants that process cardholder data via a payment
application running on a point-of-sale system, which is
connected to the internet, may be eligible for this SAQ
Eligibility Requirements include: the payment application
system and the internet connection are on the same device or
LAN, they are not connected to any other systems, and the POS
environment is not connected to other locations, and any LAN is
for a single store only.
SAQ C-VT
Merchants with web-based virtual terminals. No electronic
cardholder data storage.
SAQ C-VT (Who may use it)
Eligibility Requirements include: the virtual payment terminal
solution is provided by a PCI DSS validated third-party service
provider, access is via a computer that is isolated, and the
computer does not have software or hardware installed that
causes the cardholder data to be stored.
