PCI SAQ Scan And Validation

If you are a merchant and accept credit cards, you must validate PCI compliance on an annual basis. You must also submit to a network security scan if you use external-facing IP addresses that collect, process, or transmit payment account information. Even if you provide email service and employee Internet access, you may be at risk by potentially exposing cardholder data.

The scan will identify vulnerabilities in your operating systems, services, and devices that could be compromised by hackers to gain access to your private network. You are required to submit compliance documentation (successful scan reports) according to the timetable determined by your acquirer, conducted by a PCI SSC Approved Scanning Vendor such as Compliance Pay.

Please use the chart below to determine which SAQ form you must complete and whether Network Security Scans are a required part of your PCI compliance.

SAQ Validation

Type	Description	SAQ
1	Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced with no face-to-face interaction.	A
2	Imprint-only merchants with no cardholder data storage	B
3	Stand-alone dial-up terminal merchants, no cardholder data storage	B
4	Merchants with payment application systems connected to the Internet, no cardholder data storage	C
5	All other merchants not included above and all service providers defined by a payment brand as eligible to complete an SAQ	D

PCI Compliance
Data Storage