The Payment Card Industry Data Security Standard (PCI DSS) was created to reduce payment card breaches and protect cardholder data across the entire payments ecosystem. The founding members of the PCI Security Standards Council—American Express, Discover, JCB, Mastercard, and Visa—continuously monitor card data compromises, and their investigations consistently point to the same root cause: common security weaknesses that were exploited because PCI DSS controls were either not in place or poorly implemented.

That’s why every merchant and service provider that stores, processes, transmits, or could impact the security of cardholder data must validate and report their compliance on an ongoing basis. While Level 1 organizations—which handle the most card transactions annually—have stricter third-party assessment and reporting requirements, most organizations can use a Self-Assessment Questionnaire (SAQ) to self-evaluate and report their compliance.

If you’ve confirmed you only need an SAQ, you’re in the right place. Below, we explain what a PCI SAQ is, how it works, and how to determine which version applies to your business so you can demonstrate PCI DSS compliance and maintain ongoing security—not just at a single point in time.

What is a PCI SAQ?

PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. Self-assessment is a requirement for merchants and service providers that do not need a full Report on Compliance (RoC).

The SAQ has two parts: 

1. A set of self-guided questions designed to assess your level of compliance
2. An Attestation of Compliance (AoC), which requires either your organization or a Qualified Assessor firm (QSA) to attest to your PCI DSS compliance

The SAQ will require you to attest that your organization meets PCI DSS standards. With a series of yes or no questions, the SAQ will describe each PCI requirement and the expected testing, then ask whether the control is: 

• In place
• In place with a Compensating Control Worksheet or CCW*
• Not in place
• N/A
• Not tested 

Compensating controls are only considered when an organization cannot meet a requirement exactly as stated (due to technical or business constraints) but has sufficiently gone above and beyond to mitigate the risk.

If you answer "not in place" to any of the questions, you'll be required to explain what your plans are for remediating the gap and the expected timeline. You must meet each control to be compliant with PCI DSS.

Who needs to complete a PCI self-assessment questionnaire?

There are different levels of compliance defined by the PCI Security Standards Council (PCI SSC) based on the cardholder data transaction amount the organization could impact. These levels have different reporting requirements.

Level 2, 3, and 4 merchants—which process up to 6 million card transactions or fewer than 20,000 card transactions per year—can likely use a self-assessment questionnaire to validate their PCI compliance.

However, Level 1 merchants and service providers—which process over 6 million card transactions per year—likely can't. Since Level 1 merchants and service providers impact the highest amount of cardholder data transactions, they are considered the most risky and likely have the most stringent reporting requirements resulting in the need to undergo an external audit and complete a Report on Compliance (RoC).

In short, you’ll need to complete a PCI SAQ if your organization:

• Stores, processes, transmits, or can impact the security of cardholder data, and
• Is not classified as a Level 1 merchant or service provider (i.e., you process fewer than 6 million annual transactions across all channels)

Merchants and service providers that fall into these lower-volume PCI levels use the SAQ to validate compliance with PCI DSS requirements and provide required evidence to acquiring banks, payment processors, or card brands.

If you’ve confirmed that you don’t need a RoC and an SAQ applies to you, the next step is determining which SAQ type fits your environment. We break down each type below so you can identify the right one for your business.

PCI DSS SAQ types

There are 8 types of self-assessment questionnaires for merchants and service providers to document and attest to their PCI DSS compliance. The one you need to complete depends on whether you are a merchant or service provider and what type of merchant you are. Find an overview of each type of SAQ for the latest version of PCI DSS — PCI DSS v4.0 — below.

SAQ A

SAQ A is for merchants that accept only e-commerce or mail order/telephone order transactions where payment cards are not present and outsource all processing of account data to PCI DSS-compliant third parties.

No account data is stored, processed, or transmitted electronically on SAQ A merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ A-EP

SAQ A-EP is for merchants that accept only e-commerce transactions and outsource all processing of account data to PCI DSS-compliant third parties except for the account data ingestion page. Merchants that comply with SAQ A-EP have e-commerce websites that do not receive account data themselves but do control how customers, or their account data, are redirected to the third-party service provider. For this reason, the merchant does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. 

No cardholder data is stored, processed, or transmitted electronically on SAQ A-EP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B

SAQ B is for merchants that process account data using only imprint machines and/or standalone, dial-out terminals. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ B merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B-IP

SAQ B is for merchants that process account data using only standalone, PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. They may be brick-and-mortar or mail order/telephone order merchants.

As with SAQ B merchants, no account data is stored electronically on SAQ B-IP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C

SAQ C is for merchants that process account data using only payment application systems connected to the Internet. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C-VT

SAQ C-VT is for merchants that process account data using only virtual payment terminal solutions that are provided and hosted by a PCI DSS validated third-party service provider and accessed on an isolated computing device connected to the Internet. In other words, these merchants manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C-VT merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ P2PE

SAQ P2PE is for merchants that process account data using only payment terminals that are included in and managed via a validated, PCI-listed Point-to-Point Encryption (P2PE) solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ P2PE merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ D

SAQ D is for all merchants who don’t fit into one of the categories above, and all service providers who are eligible to complete an SAQ.

Deciding which SAQ you need for compliance

Determining which type of SAQ you'll need to complete mostly comes down to two factors: defining if you are a service provider or a merchant and how you handle cardholder data. 

If you are a service provider, you will need to complete the SAQ D.  If you are a merchant, your SAQ type will be based on how your organization handles cardholder data. 

The table below shows the eligibility criteria for each type of SAQ. Merchants must meet all the requirements for a particular SAQ to use it.

If you’re still unsure which SAQ is most appropriate for your compliance needs, you can request more detailed guidance from your acquiring organization, merchant bank, payment brand, or qualified security assessor (QSA).

Simplify your PCI DSS Self-Assessment Questionnaire

Whether it's an SAQ A or SAQ D, you’ll still need to comply with all PCI DSS requirements — which can include scoping your cardholder data environment, implementing hundreds of security controls and account data encryption requirements, formalizing and maintaining PCI DSS policies, conducting risk assessments, vulnerability scanning, and penetration testing. 

Secureframe can help streamline the entire process. Our team of in-house compliance experts helps you understand the PCI DSS framework and our platform automates evidence collection, continuously monitors your controls, and provides you a platform to manage vendor risk. 

To learn how to quickly evaluate and strengthen your overall information security posture, keep your customers' credit card data safe, and satisfy PCI DSS requirements with Secureframe, request a demo today.

This post was originally published in March 2022 and has been updated for accuracy and comprehensiveness