Self-Assessment Questionnaire Types
Level 1 merchants are required to have a Report on Compliance (ROC) completed by an approved
QSA. If you have an ISA certified internal auditor on staff, this individual may complete the ROC as
well.
Only level 2 – level 4 merchants are eligible to complete a Self-Assessment Questionnaire (SAQ).
The SAQ type you are eligible to complete is based on how you accept payment cards.
Merchants who deploy and use Toast POS as recommended are eligible for one of two types of
SAQs: SAQ-C or SAQ-D for Merchant.
SAQ-C Eligibility
If you only process payment cards through Toast POS, you are eligible to complete SAQ-C.
However, you must also meet the following requirements:
Toast POS is deployed in an isolated
network segment not connected to other
non-payment related devices in your
environment.
If Toast installed your POS to include
company-approved networking equipment,
our standard deployment process ensures
this requirement is met.
If you deploy the Toast POS solution
yourself or use a secondary third-party, you
will need to ensure they adhere to the
Deployment Checklist in Appendix A to
assure requirement one (1) above is being
addressed.
You do not store cardholder data in an
electronic form.
Toast POS does not store electronic copies
of cardholder data; therefore, if you only
process payments through Toast POS you
will meet this requirement.
If cardholder data is retained, it is only in
paper reports or copies of paper receipts.
Ensuring you only retain paper copies of
reports or receipts displaying full account
numbers is solely your responsibility.
You do not support an e-Commerce site,
even if said site is fully outsourced to a
third-party hosting provider.
If you utilize Online Ordering, SAQ D is
most likely the appropriate SAQ. However,
please consult a PCI Qualified Security
Assessor to determine your options.
PCI Instruction Guide
© Toast 2018
Page 7 of 44
To Next Page
Loading...
