ACCORDING TO PAYMENT BRAND RULES, ALL MERCHANTS AND SERVICE PROVIDERS ARE REQUIRED TO COMPLY WITH THE PCI DSS IN ITS ENTIRETY.
There are five SAQ categories, shown briefly in the table below . Use the table to gauge which SAQ applies to your organization.
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
Merchants using only web-based virtual terminals, no electronic cardholder data storage
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete a SAQ.
Merchants using only hardware payment terminals included in a PCI SSC-listed, validated, P2PE solution, no electronic cardholder data storage. This would never apply to e-commerce merchants.