SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises.
These merchants, defined as SAQ Validation Type 1 here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises. Such merchants must validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that:
1. Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions;
2. Your company does not store, process, or transmit any cardholder data on your premises, but relies entirely on third party service provider(s) to handle these functions;
3. Your company has confirmed that the third party service provider(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;
4. Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and
5. Your company does not store any cardholder data in electronic format.
This option would never apply to merchants with a face-to-face POS environment.