PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?

  • March 10, 2022

Emily Bonnie

Senior Content Marketing Manager at Secureframe


Marc Rubbinaccio

Manager of Compliance at Secureframe

The Payment Card Industry Data Security Standard (PCI DSS) requires all organizations that store, process, or transmit payment card data to uphold certain security standards. These requirements also apply to organizations that can impact cardholder data. These security measures protect cardholder data from fraud and help build consumer trust. 

PCI DSS certification applies to both merchants (organizations that accept cardholder data as payment for goods or services) and service providers (organizations that provide services that can impact cardholder data). There are a few levels of certification, defined by the PCI SSC or the security standards council. 

Level 1 merchants and service providers — as defined by the PCI SSC or based on your customer requirements —are required to complete a Report on Compliance (RoC). All other organizations would need to complete a Self-Assessment Questionnaire (SAQ). 

If you need to complete an SAQ, you've come to the right place. We'll explain the different types of SAQs and help you determine which one applies to your business. 

What is a PCI SAQ?

PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. Self-assessment is a requirement for merchants and service providers that do not need a full report on compliance. 

The SAQ has two parts: 

  1. A set of self-guided questions designed to assess your level of compliance
  2. An Attestation of Compliance (AoC), which requires you to attest that you're both qualified to perform the SAQ and have done so.

The SAQ will require you to attest how your organization meets PCI DSS standards. With a series of yes or no questions, the SAQ will state each PCI requirement and the expected testing, then ask whether the control is: 

  • In place
  • In place with a Compensating Control Worksheet or CCW*
  • Not in place
  • N/A
  • Not tested 

Compensating controls are considered when an organization cannot meet a requirement exactly as stated (due to technical or business constraints) but has sufficiently mitigated the risk.

If you answer "no" to any of the questions, you'll be required to explain what your plans are for remediating the gap and the expected timeline. You must meet each control to be compliant with PCI DSS. 

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 


There are 8 types of self-assessment questionnaires for merchants and service providers to prove their PCI DSS compliance. The three main types are:


SAQ A is for any e-commerce or mail/telephone order organization where payment cards are not present during the transaction. All cardholder data functions are outsourced to a third-party service provider, and no cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. 


SAQ A-EP is also for e-commerce merchants who outsource all payment processing to PCI DSS-compliant third parties. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. However, A-EP organizations do have websites that can impact the security of the payment transaction. 


All merchants who don’t fit into one of the categories above, and all service providers who are eligible to complete an SAQ, will need an SAQ D.

Deciding which SAQ you need for compliance

Determining which type of SAQ you'll need to complete mostly comes down to two factors: defining if you are a service provider or a merchant and how you process payments. 

If you are a service provider, you will need to complete the SAQ D.  If you are a merchant, there are a few items you will need to consider. 

Below, we break down the main SAQ types to help you understand key differences and determine which one you qualify for. 


SAQ A vs A-EP is ultimately the difference between outsourcing all management of your e-commerce environment or part of it.  

It is important in both the SAQ A and SAQ A-EP that you are not storing, processing, or transmitting cardholder data of any kind. If you are, you'll need SAQ D. In both scenarios all payment processing will be outsourced to a PCI DSS validated, third-party payment processor.

To qualify for the SAQ A you must be outsourcing the management of the web application and underlying infrastructure to a PCI DSS compliant service provider. If any elements of the payment page are your responsibility, you must attest to the SAQ A-EP. 

If you’re still unsure which SAQ is most appropriate for your compliance needs, you can request more detailed guidance from your acquiring organization, merchant bank, payment brand, or qualified security assessor (QSA). 

To make it even easier to determine the appropriate SAQ for your organization, we've created a visual decision tree. Answer a few questions to find out which of the different SAQs meet your PCI DSS compliance needs. 

Simplify your PCI DSS Self-Assessment Questionnaire

Whether it's an SAQ D or a RoC, you’ll still need to comply with all PCI DSS requirements — which can include 300+ security controls, data encryption standards, formal policies, vulnerability scans, and an audit by a QSA. 

Secureframe can help streamline the entire process of PCI DSS compliance, including completing your SAQ.

Our platform automates technical controls, scans your cloud infrastructure for discrepancies, and assesses vendor risk. And our team of in-house compliance experts will help you create policies, complete your SAQ and readiness assessment, and maintain compliance. 

Quickly evaluate and strengthen your overall information security posture, keep your customers' credit card data safe, and satisfy PCI DSS requirements with Secureframe. Request a demo today.


What is a PCI SAQ?

A PCI SAQ, or Payment Card Industry Self-Assessment Questionnaire, is a series of yes or no questions that include all 12 requirements which require merchants and service providers to attest that their organization meets PCI DSS standards. A PCI SAQ is a requirement for merchants and service providers that do not need a full report on compliance.

How often do you need to fill out the PCI SAQ?

Payment brands set the frequency for PCISAQs, but in general, Level 2-4 organizations should fill one out annually.

Who needs to fill out a PCI SAQ A?

E-commerce or mail/telephone-order merchants that do not store, process, or transmit any account data in electronic format on their systems or premises need to fill out a PCI SAQ A.

What is the difference between PCI SAQ A and PCI SAQ A EP?

The key difference is that PCI SAQ A merchants outsource all payment processing to third parties, whereas PCI SAQ A EP merchants partially outsource their e-commerce payment channel to PCI DSS validated and compliant third parties. Also PCI SAQ A is for e-commerce or mal/telephone-order merchants whereas PCI SAQ A EP is only for e-commerce merchants.