Episode 12 — Choose the correct SAQ for your payment channels
Selecting the correct Self-Assessment Questionnaire (SAQ) depends on how you accept payments and where cardholder data flows, which the exam treats as a logic exercise grounded in precise channel definitions. This episode walks the purpose and boundaries of common SAQs: A for fully outsourced mail/telephone orders with no electronic storage, processing, or transmission by the merchant; A-EP for e-commerce sites that influence the page where payment data is captured but route entry to a third party; D for merchants and service providers with complex environments or storage; and device- or channel-specific variants where applicable. We emphasize that form choice follows architecture, not preference, and that a single organization can require multiple SAQs if distinct channels exist under separate merchant identifiers or environments.
We explore exam-style cases to make the distinctions stick: an e-commerce merchant hosting its own payment page elements qualifies for A-EP, not A; a site using truly hosted iFrames with no PAN touching the merchant server may fit SAQ A; a retailer storing tokens only—without PAN—still completes SAQ D if systems can impact the security of account data within scope; and service providers typically use SAQ D for Service Providers. Best practices include maintaining channel inventories, diagrams that show data entry points, and provider attestations that confirm hosted capture is real. Troubleshooting addresses edge conditions like third-party scripts that alter pages, mobile apps using SDKs that post directly to gateways, and kiosks or unattended devices with limited software stacks. The right exam answers respect channel facts, follow documented scope, and select the SAQ that matches the highest-exposure path present, not the smallest questionnaire desired. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
