Who is eligible for SAQ C?

SAQ C is designed for merchants whose payment application systems (such as POS terminals or payment applications) are connected to the internet but who do not store cardholder data electronically. The merchant must process cards through a payment application on a device that has internet connectivity, and the payment application system must not be connected to any other systems within the merchant environment that store cardholder data. SAQ C is common for brick-and-mortar retailers using internet-connected POS systems.

What is the difference between SAQ C and SAQ C-VT?

SAQ C applies to merchants using payment application systems (such as POS terminals or integrated payment software) connected to the internet, covering approximately 160 requirements. SAQ C-VT is a much smaller questionnaire (~79 requirements) for merchants who process transactions one at a time by manually keying card data into a web-based virtual terminal provided by a PCI DSS validated third-party. The key distinction is whether you use a payment application or a virtual terminal, and how transactions are entered.

What network security requirements apply to SAQ C?

SAQ C includes significant network security requirements under Requirements 1 and 2. Merchants must install and maintain network security controls (firewalls or equivalent) between their payment application systems and any untrusted networks, including the internet. Network segmentation to isolate payment systems from the rest of the merchant network is strongly recommended and simplifies compliance. All default passwords and configurations on network devices must be changed before deployment.

Does SAQ C require vulnerability scanning?

Yes. SAQ C requires both internal and external vulnerability scanning. External vulnerability scans must be performed by a PCI SSC Approved Scanning Vendor (ASV) at least quarterly. Internal vulnerability scans must also be performed at least quarterly and after any significant change. Additionally, merchants must maintain up-to-date anti-malware software on all systems commonly affected by malware and keep all systems and software patched with vendor-supplied security updates.

Can I use SAQ C if I store cardholder data electronically?

No. A fundamental eligibility requirement for SAQ C is that the merchant does not store cardholder data in any electronic format. If your payment application, POS system, or any other system stores cardholder data electronically (whether in databases, log files, flat files, or any other format), you do not qualify for SAQ C and must use SAQ D instead. Ensure your payment application is configured to not retain any cardholder data after transaction authorization.

← All SAQ Types

SAQ C — Internet-Connected Payment Apps

PCI DSS SAQ C Compliance Guide

For merchants with payment application systems connected to the internet who do not store cardholder data electronically.

Covers approximately 160 requirements across network security, vulnerability management, access control, and more. Understand your SAQ C obligations and how GRCTrack streamlines compliance.

Start Your SAQ C Assessment Talk to a PCI Expert

What Is SAQ C?

SAQ C is a PCI DSS Self-Assessment Questionnaire designed for merchants whose payment application systems are connected to the internet but who do not store cardholder data electronically. This typically covers brick-and-mortar retailers using internet-connected point-of-sale (POS) systems or payment terminals that communicate with payment processors over the internet.

With approximately 160 requirements, SAQ C is substantially more comprehensive than SAQ A (~22 requirements) or SAQ B (~41 requirements). The increased scope reflects the broader attack surface created by having payment systems connected to the internet. SAQ C covers network security controls, vulnerability management, access control, physical security, monitoring, and security policies.

The key eligibility condition for SAQ C is that the merchant's payment application system is the only system in the cardholder data environment connected to the internet, and no cardholder data is stored electronically after authorization. Merchants who store cardholder data electronically or whose payment systems are connected to other internal systems that store cardholder data must use the full SAQ D assessment instead.

Who Qualifies for SAQ C?

Merchants with POS systems or payment applications connected to the internet for transaction processing

Merchants whose payment application system is not connected to any other systems within the environment that store cardholder data

Merchants who do not store cardholder data in any electronic format after transaction authorization

Brick-and-mortar retailers using internet-connected payment terminals with direct connections to payment processors

Merchants whose payment application system is the only component in the cardholder data environment with internet connectivity

Merchants who have a single payment channel (no e-commerce) and do not process card-not-present transactions via the internet

Key SAQ C Requirements

Req 1: Network Security Controls

Install and maintain network security controls (firewalls) between payment systems and untrusted networks. Define and enforce rules restricting inbound and outbound traffic to only what is necessary for payment processing.

Req 2: Secure Configurations

Apply secure configurations to all system components. Change all vendor-supplied default passwords and settings. Remove or disable unnecessary services, protocols, and functionality on payment systems.

Req 4: Secure Transmissions

Encrypt transmission of cardholder data across open, public networks using strong cryptography. Ensure POS terminals and payment applications use TLS 1.2 or higher for all communications with payment processors.

Req 5-6: Vulnerability Management

Deploy and maintain anti-malware software on all systems commonly affected by malware. Develop and maintain secure systems by applying vendor-supplied security patches promptly and managing application security.

Req 7-8: Access Control

Restrict access to system components and cardholder data to only those individuals whose job requires it. Assign unique IDs to each person with access, enforce strong authentication, and implement multi-factor authentication for administrative access.

Req 9: Physical Security

Restrict physical access to cardholder data and payment systems. Protect POS terminals against tampering and substitution. Maintain device inventories and train personnel to detect tampering attempts.

Req 10-11: Monitoring & Testing

Log and monitor all access to system components and cardholder data. Perform quarterly internal and external (ASV) vulnerability scans. Conduct penetration testing and implement intrusion detection or prevention systems.

Req 12: Security Policies

Establish, publish, and maintain an information security policy. Implement a security awareness program, manage third-party service providers, and maintain an incident response plan for suspected breaches.

Common SAQ C Mistakes

Not Segmenting the POS Network

One of the most common and costly mistakes is failing to isolate the POS network from the rest of the corporate network. Without proper network segmentation, the entire network may be considered in scope for PCI DSS, dramatically increasing the number of systems and controls that must be assessed and maintained. Use firewalls or VLANs to segment payment systems from general-purpose workstations, servers, and Wi-Fi networks.

Storing Cardholder Data Accidentally in Logs

Payment applications and POS systems can inadvertently write full card numbers, expiration dates, or CVV values into application logs, debug logs, or transaction logs. This unintended storage disqualifies the merchant from SAQ C and creates a serious data breach risk. Regularly audit log files and configure payment applications to mask or truncate cardholder data in all log outputs.

Running Unnecessary Services on Payment Systems

Payment terminals and POS systems often run on general-purpose operating systems that include many services and applications not required for payment processing. Web browsers, email clients, file sharing, and remote desktop services all increase the attack surface. Harden payment systems by disabling or removing all unnecessary services, protocols, daemons, and software.

Neglecting Physical Terminal Security

SAQ C requires merchants to protect POS terminals and payment devices against physical tampering and substitution. Many merchants fail to maintain an inventory of payment devices, inspect terminals regularly for signs of tampering, or train staff to recognize skimming devices and unauthorized terminal replacements. Implement a terminal inspection program with documented procedures and frequency.

How GRCTrack Helps with SAQ C Compliance

SAQ type selection wizard that evaluates your payment architecture and confirms SAQ C eligibility based on your environment

Pre-built SAQ C control library with all ~160 requirements mapped, organized by PCI DSS requirement category

Network segmentation assessment tools to help document and validate isolation of your payment application environment

Vulnerability scan tracking with automated reminders for quarterly ASV scans and internal vulnerability assessments

Evidence collection templates designed for SAQ C documentation including network diagrams, device inventories, and configuration baselines

AI-powered compliance guidance built by certified QSAs to answer SAQ C-specific questions about network security and payment application hardening

SAQ C Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide PCI DSS FAQ SAQ C-VT Guide SAQ B Guide SAQ D Guide

Ready to Complete Your SAQ C Assessment?

GRCTrack guides you through every SAQ C requirement with step-by-step compliance workflows.

Start Your SAQ C Assessment Compare SAQ Types