PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?

  • December 13, 2023
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Marc Rubbinaccio

Manager, Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements required for all merchants and service providers that store, process, transmit, or could impact the security of cardholder data. 

There are different levels of compliance defined by the PCI Security Standards Council (PCI SSC) based on the cardholder data transaction amount the organization could impact. These levels have different reporting requirements.

Since Level 1 merchants and service providers impact the highest amount of cardholder data transactions, they are considered the most risky and likely have the most stringent reporting requirements resulting in the need to complete a Report on Compliance (RoC). All other levels  need to complete a Self-Assessment Questionnaire (SAQ). 

If you’ve determined your PCI level and you only need to complete an SAQ, you've come to the right place. We'll explain the different types of SAQs and help you determine which one applies to your business.

What is a PCI SAQ?

PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. Self-assessment is a requirement for merchants and service providers that do not need a full report on compliance. 

The SAQ has two parts: 

  1. A set of self-guided questions designed to assess your level of compliance
  2. An Attestation of Compliance (AoC), which requires either your organization or a Qualified Assessor firm (QSA) to attest to your PCI DSS compliance

The SAQ will require you to attest that your organization meets PCI DSS standards. With a series of yes or no questions, the SAQ will describe each PCI requirement and the expected testing, then ask whether the control is: 

  • In place
  • In place with a Compensating Control Worksheet or CCW*
  • Not in place
  • N/A
  • Not tested 

Compensating controls are only considered when an organization cannot meet a requirement exactly as stated (due to technical or business constraints) but has sufficiently gone above and beyond to mitigate the risk.

If you answer "not in place" to any of the questions, you'll be required to explain what your plans are for remediating the gap and the expected timeline. You must meet each control to be compliant with PCI DSS.

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of obtaining and maintaining PCI DSS certification.

PCI DSS SAQ types

There are 8 types of self-assessment questionnaires for merchants and service providers to document and attest to their PCI DSS compliance. The one you need to complete depends on whether you are a merchant or service provider and what type of merchant you are. Find an overview of each type of SAQ for the latest version of PCI DSS — PCI DSS v4.0 — below.

Overview of the 8 PCI SAQ types

SAQ A

SAQ A is for merchants that accept only e-commerce or mail order/telephone order transactions where payment cards are not present and outsource all processing of account data to PCI DSS-compliant third parties.

No account data is stored, processed, or transmitted electronically on SAQ A merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ A-EP

SAQ A-EP is for merchants that accept only e-commerce transactions and outsource all processing of account data to PCI DSS-compliant third parties except for the account data ingestion page. Merchants that comply with SAQ A-EP have e-commerce websites that do not receive account data themselves but do control how customers, or their account data, are redirected to the third-party service provider. For this reason, the merchant does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. 

No cardholder data is stored, processed, or transmitted electronically on SAQ A-EP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B

SAQ B is for merchants that process account data using only imprint machines and/or standalone, dial-out terminals. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ B merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ B-IP

SAQ B is for merchants that process account data using only standalone, PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. They may be brick-and-mortar or mail order/telephone order merchants.

As with SAQ B merchants, no account data is stored electronically on SAQ B-IP merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C

SAQ C is for merchants that process account data using only payment application systems connected to the Internet. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ C-VT

SAQ C-VT is for merchants that process account data using only virtual payment terminal solutions that are provided and hosted by a PCI DSS validated third-party service provider and accessed on an isolated computing device connected to the Internet. In other words, these merchants manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ C-VT merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ P2PE

SAQ P2PE is for merchants that process account data using only payment terminals that are included in and managed via a validated, PCI-listed Point-to-Point Encryption (P2PE) solution. They may be brick-and-mortar or mail order/telephone order merchants.

No account data is stored electronically on SAQ P2PE merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts. 

SAQ D

SAQ D is for all merchants who don’t fit into one of the categories above, and all service providers who are eligible to complete an SAQ.

Deciding which SAQ you need for compliance

Determining which type of SAQ you'll need to complete mostly comes down to two factors: defining if you are a service provider or a merchant and how you handle cardholder data. 

If you are a service provider, you will need to complete the SAQ D.  If you are a merchant, your SAQ type will be based on how your organization handles cardholder data. 

The table below shows the eligibility criteria for each type of SAQ. Merchants must meet all the requirements for a particular SAQ to use it.

Type of SAQ Type of merchant Account data scope Electronic account data storage allowed
SAQ A E-commerce and mail order/telephone order (card not present) Outsource all payment processing to PCI DSS validated and compliant third parties No
SAQ A-EP E-commerce Outsource all payment processing to PCI DSS validated and compliant third parties, with the exception of the page that accepts account data No
SAQ B Brick-and-mortar (card present) and mail order/telephone order (card not present) Via imprint machines and/or standalone, dial-out terminals (connected via a phone line to the merchant processor) No
SAQ B-IP Brick-and-mortar and mail order/telephone order Via PTS POI devices with an IP connection to the payment processor No
SAQ C Brick-and-mortar and mail order/telephone order Via payment application systems (ex. Point of sale systems) connected to the Internet No
SAQ C-VT Brick-and-mortar and mail order/telephone order Via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet No
SAQ P2PE Brick-and-mortar and mail order/telephone order Via a validated PCI-listed P2PE solution No
SAQ D All merchants who are eligible to complete an SAQ but do not meet the criteria for any other SAQ type

Note: This is the only type of SAQ that applies to service providers who are eligible to complete an SAQ.
May process account data on their website May have electronic account data storage

If you’re still unsure which SAQ is most appropriate for your compliance needs, you can request more detailed guidance from your acquiring organization, merchant bank, payment brand, or qualified security assessor (QSA).

Simplify your PCI DSS Self-Assessment Questionnaire

Whether it's an SAQ A or SAQ D, you’ll still need to comply with all PCI DSS requirements — which can include hundreds of security controls, account data encryption requirements, formal published PCI DSS policies, vulnerability scans, and a penetration test

Secureframe can help streamline the process. Our team of in-house compliance experts helps you understand the PCI DSS framework and our platform automates evidence collection, continuously monitors your controls, and provides you a platform to manage vendor risk

To learn how to quickly evaluate and strengthen your overall information security posture, keep your customers' credit card data safe, and satisfy PCI DSS requirements with Secureframe, request a demo today.

FAQs

What is a PCI SAQ?

A PCI SAQ, or Payment Card Industry Self-Assessment Questionnaire, is a series of yes or no questions that include all 12 requirements which require merchants and service providers to attest that their organization meets PCI DSS standards. A PCI SAQ is a requirement for merchants and service providers that do not need a full report on compliance.

How often do you need to fill out the PCI SAQ?

Payment brands set the frequency for PCISAQs, but in general, Level 2-4 organizations should fill one out annually.

Who needs to fill out a PCI SAQ A?

E-commerce or mail/telephone-order merchants that do not store, process, or transmit any account data in electronic format on their systems or premises need to fill out a PCI SAQ A.

What is the difference between PCI SAQ A and PCI SAQ A EP?

The key difference is that PCI SAQ A merchants outsource all payment processing to third parties, whereas PCI SAQ A EP merchants partially outsource their e-commerce payment channel to PCI DSS validated and compliant third parties. Also PCI SAQ A is for e-commerce or mal/telephone-order merchants whereas PCI SAQ A EP is only for e-commerce merchants.