Which PCI SAQ Do I Need?

Key Takeaway

Your PCI DSS Self-Assessment Questionnaire (SAQ) type depends on how you process payments, what terminals you use, and whether you store cardholder data. Nine SAQ types cover different merchant scenarios from e-commerce to in-person transactions.

What Is a PCI SAQ?
SAQ Types Overview
How to Choose the Right SAQ
Implementation Steps
Frequently Asked Questions

Key Terms

Self-Assessment Questionnaire (SAQ): A validation tool for merchants and service providers to assess PCI DSS compliance requirements.

Cardholder Data Environment (CDE): The network segment or computing environment where cardholder data is stored, processed, or transmitted.

Attestation of Compliance (AOC): A form documenting merchant compliance validation that must be submitted to acquiring banks.

Point-to-Point Encryption (P2PE): A security standard that encrypts payment data from point of interaction to secure decryption environment.

Qualified Security Assessor (QSA): An individual qualified by PCI SSC to conduct on-site PCI DSS assessments for organizations.

Introduction

Selecting the correct PCI DSS Self-Assessment Questionnaire depends on your payment processing methods, terminal types, and data storage practices. The Payment Card Industry Security Standards Council provides nine different SAQ types to match various merchant scenarios.

Expert Insight: Organizations using automated PCI compliance solutions reduce SAQ completion time by up to 70% compared to manual spreadsheet-based approaches while improving accuracy and reducing compliance gaps.

What Is a PCI DSS Self-Assessment Questionnaire?

PCI DSS Self-Assessment Questionnaires are validation tools provided by the PCI Security Standards Council. These questionnaires help payment-card-processing merchants and service providers assess their PCI compliance status.

Organizations not required to obtain on-site audits by Qualified Security Assessors can use SAQs for self-assessment. Each SAQ contains PCI DSS requirement questions and an Attestation of Compliance for submission to acquiring banks.

When Do Organizations Need to Complete SAQs?

Organizations must complete SAQs when they process, store, or transmit payment card information but don’t require on-site audits and Reports on Compliance (ROC). SAQ completion satisfies PCI DSS validation requirements for most small to medium-sized merchants.

What Are the Different SAQ Types Available?

The PCI Security Standards Council has developed eight merchant SAQs and one service provider SAQ. Each type addresses specific payment processing scenarios and security requirements.

SAQ Types Comparison

SAQ A: E-commerce merchants with outsourced processing

Target: E-commerce merchants with fully outsourced processing
Requirements: No cardholder data storage, fully outsourced

SAQ A-EP: E-commerce with website affecting payment security

Target: E-commerce with website security considerations
Requirements: Outsourced processing, website security controls

SAQ B: Card-present using imprint machines or dial-out terminals

Target: Card-present merchants using manual processes
Requirements: No electronic cardholder data storage

SAQ B-IP: Card-present using standalone IP terminals

Target: Card-present using IP-connected terminals
Requirements: PTS-approved terminals, no data storage

SAQ C-VT: Manual entry via virtual payment terminals

Target: Merchants using virtual payment terminals
Requirements: Single transactions, hosted solution

SAQ C: Card-present with Internet-connected applications

Target: Card-present with connected payment applications
Requirements: Payment applications, no data storage

SAQ P2PE: Hardware terminals with validated P2PE

Target: Merchants using validated P2PE solutions
Requirements: Listed P2PE solution, no e-commerce

SAQ D: All other merchants not covered above

Target: Comprehensive merchant scenarios
Requirements: Full PCI DSS requirements

What Is SAQ A for E-commerce Merchants?

SAQ A applies to merchants conducting remote business (e-commerce, mail order, telephone order) with fully outsourced payment processing. These merchants must use PCI DSS-validated third parties and cannot store cardholder data in any form.

SAQ A represents the simplest compliance path with the fewest requirements, making it ideal for merchants who completely outsource payment processing to qualified service providers.

How Does SAQ D Differ from Other Types?

SAQ D serves as the comprehensive questionnaire for merchants not fitting other SAQ categories. This includes merchants storing cardholder data, processing payments through non-validated third parties, or having complex payment environments.

SAQ D contains the most extensive requirements, covering all PCI DSS standards. Merchants completing SAQ D must implement comprehensive security controls across their entire cardholder data environment.

How Do You Choose the Right SAQ for Your Organization?

SAQ Selection Decision Process:

Determine payment processing method: Do you process payments yourself or outsource to third parties?
Identify payment terminals: What type of payment processing equipment do you use?
Assess data storage practices: Do you store, process, or transmit cardholder data electronically?
Evaluate payment channels: Do you accept in-person, online, or both payment types?
Review third-party validation: Are your payment processors PCI DSS-validated?

What Questions Should You Ask About Your Payment Processing?

Organizations should evaluate several key factors when selecting their appropriate SAQ type:

Payment Processing Method: Determine whether you handle credit card transactions internally or outsource processing to validated third-party providers. Complete outsourcing typically qualifies for simpler SAQ types.

Terminal and Equipment Types: Identify your payment processing equipment including standalone terminals, integrated point-of-sale systems, or virtual payment terminals. Different equipment types correspond to specific SAQ categories.

Data Storage Practices: Assess whether your organization stores cardholder data electronically. Data storage significantly impacts SAQ requirements and compliance scope.

What Are the Steps to Complete Your SAQ?

Step 1: Identify Your Correct SAQ Type

Use the decision criteria to determine which SAQ applies to your payment processing environment and business model.

Step 2: Gather Required Documentation

Collect security policies, network diagrams, vulnerability scan reports, and evidence of security controls implementation.

Step 3: Complete SAQ Questions

Answer all applicable questions honestly and provide supporting documentation for each security requirement.

Step 4: Submit Attestation of Compliance

Complete the AOC form and submit both documents to your acquiring bank or payment processor as required.

How Can You Save Time and Money on SAQ Completion?

PCI DSS SAQ forms can be lengthy and resource-intensive to complete manually. Organizations using spreadsheets to track PCI compliance often struggle with disparate documentation sources and time-consuming processes.

Compliance software solutions significantly reduce SAQ completion burden through automated evidence collection, continuous monitoring, and centralized documentation management. These tools help minimize cardholder data environment scope and identify compliance gaps proactively.

What Are the Common SAQ Completion Challenges?

Organizations frequently encounter difficulties gathering required documentation from multiple sources including email accounts, file systems, and third-party providers. Manual processes increase error risk and compliance gaps.

Spreadsheet-based tracking creates version control issues and makes it difficult to maintain audit trails. Automated solutions address these challenges by providing centralized documentation and continuous compliance monitoring.

Frequently Asked Questions

Q: What happens if I choose the wrong SAQ type?

A: Choosing the wrong SAQ type can result in incomplete compliance assessment and potential penalties from acquiring banks. Organizations should carefully review their payment processing environment or consult with QSAs to ensure correct SAQ selection.

Q: How often do I need to complete a PCI SAQ?

A: Organizations must complete PCI SAQs annually and submit them to their acquiring bank. Some merchants may need to complete quarterly updates or additional assessments based on their merchant agreement requirements.

Q: Can I switch SAQ types if my business changes?

A: Yes, you should update your SAQ type when your payment processing methods change. This includes changes to terminals, payment channels, data storage practices, or third-party service providers.

Q: Do I need a QSA if I complete an SAQ?

A: SAQs are designed for self-assessment, so QSAs are not required for most SAQ types. However, some merchants may choose to engage QSAs for guidance, especially for complex environments or SAQ D assessments.

Q: What documentation do I need to support my SAQ?

A: Required documentation typically includes security policies, network diagrams, vulnerability scan reports, penetration test results, security awareness training records, and evidence of security control implementation.

Q: What are the consequences of non-compliance with PCI DSS?

A: Non-compliance can result in fines from acquiring banks, increased transaction fees, loss of payment processing privileges, and potential liability for data breaches. Penalties vary based on transaction volume and compliance history.

About ZenGRC

ZenGRC transforms PCI compliance from a burden into a strategic advantage through automated evidence collection and continuous monitoring. The platform helps minimize cardholder data environment scope, identifies compliance gaps, and provides clear guidance on achieving full PCI DSS compliance.

ZenGRC’s centralized platform eliminates scattered documentation and provides real-time visibility into compliance posture. Organizations can survey and monitor third-party service providers, maintain comprehensive audit trails, and ensure ongoing PCI DSS compliance through automated monitoring and alerting.

This document provides comprehensive guidance on selecting and completing the appropriate PCI DSS Self-Assessment Questionnaire for your organization’s payment processing requirements.