unit logo
  1. Home
  2. Knowledge Base
  3. Banking & Merchant Services
  4. Merchant Services
  5. PCI DSS Self-Assessment Questionnaire

PCI DSS Self-Assessment Questionnaire

Directive Statement

All merchant locations or units that store, process, or transmit cardholder data must perform an annual self-assessment in partnership with Merchant Services.

Reason for Directive

Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ credit card data and maximize compliance with the PCI DSS.  Failure to protect such information may result in financial loss for customers, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the University’s reputation.

Who Must Comply?

All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.


The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS.  All University of Florida campus merchants are required to complete a SAQ every year.  There are multiple versions of the SAQ to meet various scenarios.

SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service provider, with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic data storage, processing or transmission of cardholder data on merchant’s systems or premises.
Applicable only to e-commerce channels
B Merchants using only:

  • Imprint machines with no electronic data storage, and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage

Not applicable to e-commerce channels

B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.
Not applicable to e-commerce channels
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels
C Merchants with payment application systems connected to the internet – no electronic cardholder data storage
Not applicable to e-commerce channels
D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types

SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ

P2PE Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (PP2E) solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.

The PCI Security Standards Council provides the SAQ Instruction Guide to assist in completing the annual SAQ.

Last Reviewed

Last reviewed on 03/20/2024


Annual SAQ Instructions and Guidelines

PCI Security Standards Council


TRM200 – Explaining UF Cash/Check Controls

TRM125 – Payment Card Security Awareness Training


Banking & Merchant Services: (352) 392-9057


Still have a question?

View our FAQs