PCI ISA LATEST 2023 RATED A+
SAQ-A ✔✔e-commerce or telephone order merchants; processing fully outsourced to validated
3rd party. No processing, transmitting, storing done by merchant
SAQ-B ✔✔merchants with imprint machines and/or merchant with only standalone dial-out
terminals
SAQ-B-IP ✔✔Same as SAQ-B but the terminals not dial-out, the terminals have an IP
connection
SAQ-C ✔✔Merchants with payment apps connected to the Internet but have no CHD storage.
Not available if doing ecommerce
SAQ-C-VT ✔✔Merchants who only use virtual terminals from a validated 3rd party. Do
transactions one at a time. Not available if doing ecommerce
SAQ-A-EP ✔✔Same as SAQ-A but web site could affect the security of outsourced 3rd party
solution.
, SAQ-D ✔✔Used by merchants not eligible for any other SAQ. Service providers must always
use SAQ-D
Where are firewalls required ✔✔Between Internet and CHD, between DMZ and internal
network, between wireless networks and CHD
How often must firewall rules be reviewed ✔✔6 months and after significant environment
change
Non-Console admin access must be ______ ✔✔encrypted
CHD data can only be stored for how long? ✔✔based on merchant documented policy based on
biz, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________ process
✔✔quarterly
SAQ-A ✔✔e-commerce or telephone order merchants; processing fully outsourced to validated
3rd party. No processing, transmitting, storing done by merchant
SAQ-B ✔✔merchants with imprint machines and/or merchant with only standalone dial-out
terminals
SAQ-B-IP ✔✔Same as SAQ-B but the terminals not dial-out, the terminals have an IP
connection
SAQ-C ✔✔Merchants with payment apps connected to the Internet but have no CHD storage.
Not available if doing ecommerce
SAQ-C-VT ✔✔Merchants who only use virtual terminals from a validated 3rd party. Do
transactions one at a time. Not available if doing ecommerce
SAQ-A-EP ✔✔Same as SAQ-A but web site could affect the security of outsourced 3rd party
solution.
, SAQ-D ✔✔Used by merchants not eligible for any other SAQ. Service providers must always
use SAQ-D
Where are firewalls required ✔✔Between Internet and CHD, between DMZ and internal
network, between wireless networks and CHD
How often must firewall rules be reviewed ✔✔6 months and after significant environment
change
Non-Console admin access must be ______ ✔✔encrypted
CHD data can only be stored for how long? ✔✔based on merchant documented policy based on
biz, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________ process
✔✔quarterly
