The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements required for all merchants and service providers that store, process, transmit, or could impact the security of cardholder data. 

There are different levels of compliance defined by the PCI Security Standards Council (PCI SSC) based on the cardholder data transaction amount the organization could impact. These levels have different reporting requirements.

Since Level 1 merchants and service providers impact the highest amount of cardholder data transactions, they are considered the most risky and likely have the most stringent reporting requirements resulting in the need to complete a Report on Compliance (RoC). All other levels  need to complete a Self-Assessment Questionnaire (SAQ). 

If you’ve determined your PCI level and you only need to complete an SAQ, you've come to the right place. We'll explain the different types of SAQs and help you determine which one applies to your business.

What is a PCI SAQ?

PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. Self-assessment is a requirement for merchants and service providers that do not need a full report on compliance. 

The SAQ has two parts: 

1. A set of self-guided questions designed to assess your level of compliance
2. An Attestation of Compliance (AoC), which requires either your organization or a Qualified Assessor firm (QSA) to attest to your PCI DSS compliance

The SAQ will require you to attest that your organization meets PCI DSS standards. With a series of yes or no questions, the SAQ will describe each PCI requirement and the expected testing, then ask whether the control is: 

• In place
• In place with a Compensating Control Worksheet or CCW*
• Not in place
• N/A
• Not tested 

Compensating controls are only considered when an organization cannot meet a requirement exactly as stated (due to technical or business constraints) but has sufficiently gone above and beyond to mitigate the risk.

If you answer "not in place" to any of the questions, you'll be required to explain what your plans are for remediating the gap and the expected timeline. You must meet each control to be compliant with PCI DSS.

PCI DSS SAQ types

There are 8 types of self-assessment questionnaires for merchants and service providers to document and attest to their PCI DSS compliance. The one you need to complete depends on whether you are a merchant or service provider and what type of merchant you are. Find an overview of each type of SAQ for the latest version of PCI DSS — PCI DSS v4.0 — below.

SAQ A

SAQ A is for merchants that accept only e-commerce or mail order/telephone order transactions where payment cards are not present and outsource all processing of account data to PCI DSS-compliant third parties.

No account data is stored, processed, or transmitted electronically on SAQ A merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ A-EP

SAQ A-EP is for merchants that accept only e-commerce transactions and outsource all processing of account data to PCI DSS-compliant third parties except for the account data ingestion page. Merchants that comply with SAQ A-EP have e-commerce websites that do not receive account data themselves but do control how customers, or their account data, are redirected to the third-party service provider. For this reason, the merchant does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. 

No cardholder data is stored, processed, or transmitted electronically on SAQ A-EP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B

SAQ B is for merchants that process account data using only imprint machines and/or standalone, dial-out terminals. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ B merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B-IP

SAQ B is for merchants that process account data using only standalone, PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. They may be brick-and-mortar or mail order/telephone order merchants.

As with SAQ B merchants, no account data is stored electronically on SAQ B-IP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C

SAQ C is for merchants that process account data using only payment application systems connected to the Internet. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C-VT

SAQ C-VT is for merchants that process account data using only virtual payment terminal solutions that are provided and hosted by a PCI DSS validated third-party service provider and accessed on an isolated computing device connected to the Internet. In other words, these merchants manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C-VT merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ P2PE

SAQ P2PE is for merchants that process account data using only payment terminals that are included in and managed via a validated, PCI-listed Point-to-Point Encryption (P2PE) solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ P2PE merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ D

SAQ D is for all merchants who don’t fit into one of the categories above, and all service providers who are eligible to complete an SAQ.

Deciding which SAQ you need for compliance

Determining which type of SAQ you'll need to complete mostly comes down to two factors: defining if you are a service provider or a merchant and how you handle cardholder data. 

If you are a service provider, you will need to complete the SAQ D.  If you are a merchant, your SAQ type will be based on how your organization handles cardholder data. 

The table below shows the eligibility criteria for each type of SAQ. Merchants must meet all the requirements for a particular SAQ to use it.

If you’re still unsure which SAQ is most appropriate for your compliance needs, you can request more detailed guidance from your acquiring organization, merchant bank, payment brand, or qualified security assessor (QSA).

Simplify your PCI DSS Self-Assessment Questionnaire

Whether it's an SAQ A or SAQ D, you’ll still need to comply with all PCI DSS requirements — which can include hundreds of security controls, account data encryption requirements, formal published PCI DSS policies, vulnerability scans, and a penetration test. 

Secureframe can help streamline the process. Our team of in-house compliance experts helps you understand the PCI DSS framework and our platform automates evidence collection, continuously monitors your controls, and provides you a platform to manage vendor risk. 

To learn how to quickly evaluate and strengthen your overall information security posture, keep your customers' credit card data safe, and satisfy PCI DSS requirements with Secureframe, request a demo today.