There are three Self-Assessment Questionnaire (SAQ) types within the new PCI DSS 3.0 standard available for ecommerce websites. They are titled A, A-EP (electronic processing), and D.
No of transactions
|1||Over 6 million||RoCA||RoCA||RoCA-EP||RoCA-EP||RoC||RoC|
|2||1 – 6 million||SAQ A||SAQ A||SAQ A-EP||SAQ A-EP||SAQ D||SAQ D|
|3||20 000 – 1 million||SAQ A||SAQ A||SAQ A-EP||SAQ A-EP||SAQ D||SAQ D|
|4||Under 20 000||SAQ A||SAQ A||SAQ A-EP||SAQ A-EP||SAQ D||SAQ D|
RoCA – Partial Report on Compliance validating the scope, eligibility, and requirements listed in SAQ A
RoCA-EP – Partial Report on Compliance validating the scope, eligibility, and requirements listed in SAQ A-EP
To identify which type is required, merchant should analyze several factors.
If your website uses an iFrame or Hosted Page implementation, you will be responsible for complying with SAQ A. In this case, the user is taken to a payment page that is hosted by the service provider. This can be done by introducing a redirect, where the user is taken to another page (i.e., hosted page), or can happen on the same page in the form of an iFrame.
You can find description of hosted page and iFrame implementation scheme in out API documentation:
N.B.! Neither SAQ A nor SAQ A-EP allows merchant to store or transmit credit card data through own servers and network.
You can find description on how to use tokenization technology in our documentation here.