Understanding the SAQs for PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) requires organizations that handle payment card data to validate their compliance. For many merchants and service providers, this is achieved through a Self-Assessment Questionnaire (SAQ)—a tool designed to help eligible organizations assess and report on their security posture without a full onsite audit.
This article explains what SAQs are, why they matter, and how to choose the right one for your business, using clear tables for comparison.
What Is a PCI DSS Self-Assessment Questionnaire (SAQ)?
A PCI DSS SAQ is a validation tool that eligible merchants and service providers use to self-assess and report their PCI DSS compliance. Each SAQ is tailored for specific payment environments and acceptance channels. Choosing the correct SAQ is crucial, as it ensures you address only the requirements relevant to your cardholder data environment.
- Merchants: Entities accepting payment cards for goods/services.
- Service Providers: Entities processing, storing, or transmitting cardholder data on behalf of others.
"There are several different SAQs, developed for specific types of environments as defined in each SAQ’s eligibility criteria. Each SAQ contains a section outlining the type of environment that the SAQ is intended for. All the eligibility criteria for a particular SAQ must be met to use that SAQ."
Why Are There Different SAQs?
Different business models and payment channels present varying risks and system complexities. The PCI SSC created multiple SAQs to ensure each type of merchant or service provider answers questions relevant to their payment environment—streamlining compliance and reducing unnecessary effort.
Overview of PCI DSS SAQ Types
Below is a summary table of the main SAQ types, who should use them, and their key characteristics:
| SAQ Type | Intended For | Cardholder Data Handling | Electronic Data Storage | Payment Channels |
|---|---|---|---|---|
| A | Merchants fully outsourcing payment processing | No electronic processing or storage; all handled by PCI DSS compliant third parties | No | E-commerce, Mail/Phone |
| A-EP | E-commerce merchants with website that can affect payment page security | No direct handling, but website can impact transaction security | No | E-commerce |
| B | Merchants using only standalone, dial-out terminals or imprint machines | No electronic storage; terminals not internet-connected | No | Brick-and-mortar, Mail/Phone |
| B-IP | Merchants using standalone, IP-connected payment terminals | No electronic storage; terminals connected via IP | No | Brick-and-mortar, Mail/Phone |
| C | Merchants with payment application systems connected to the Internet | No electronic storage; payment application on merchant systems | No | Brick-and-mortar, Mail/Phone |
| C-VT | Merchants manually entering transactions via virtual terminal | No electronic storage; transactions entered one at a time on isolated device | No | Brick-and-mortar, Mail/Phone |
| P2PE-HW | Merchants using only PCI-listed P2PE hardware terminals | No electronic storage; data encrypted at terminal | No | Brick-and-mortar, Mail/Phone |
| D (Merchant) | Merchants not fitting above categories or storing/processing/transmitting data electronically | May store, process, or transmit cardholder data | Yes | Any |
| D (Service Provider) | Service providers eligible to self-assess | May store, process, or transmit cardholder data | Yes | Any |
SAQ Selection: Key Criteria
| SAQ Type | Merchant Type | Cardholder Data Flow | Storage Allowed | E-commerce Eligible | Face-to-Face Eligible |
|---|---|---|---|---|---|
| A | Card-not-present only | Fully outsourced | No | Yes | No |
| A-EP | E-commerce | Website can affect payment page | No | Yes | No |
| B | Brick-and-mortar, MOTO | Standalone, dial-out terminals only | No | No | Yes |
| B-IP | Brick-and-mortar, MOTO | Standalone, IP-connected terminals only | No | No | Yes |
| C | Brick-and-mortar, MOTO | Payment app on Internet-connected device | No | No | Yes |
| C-VT | Brick-and-mortar, MOTO | Virtual terminal, manual entry | No | No | Yes |
| P2PE-HW | Brick-and-mortar, MOTO | PCI-listed P2PE hardware only | No | No | Yes |
| D (Merchant) | Any | All other environments | Yes | Yes | Yes |
| D (Service Provider) | Service Provider | All other environments | Yes | Yes | Yes |
SAQ Requirements and Complexity
SAQs vary in the number of questions and the required security testing. Simpler environments (like fully outsourced e-commerce) have fewer requirements, while complex environments must address all PCI DSS controls.
| SAQ Type | Approx. # Questions | Vulnerability Scans Required | Penetration Testing Required |
|---|---|---|---|
| A | ~22 | No | No |
| A-EP | ~191 | Yes | Yes |
| B | ~41 | No | No |
| B-IP | ~82 | Yes | No |
| C | ~160 | Yes | No |
| C-VT | ~79 | No | No |
| P2PE-HW | ~33 | No | No |
| D | ~329 | Yes | Yes |
How to Choose the Right SAQ
Follow these steps to select the appropriate SAQ:
- Determine your business type: Are you a merchant or a service provider?
- Assess your payment channels: Do you process payments online, in person, or via mail/phone?
- Map your data flow: Do you store, process, or transmit cardholder data on your systems?
- Outsourcing: If you outsource payment processing, confirm the PCI DSS compliance of your third-party providers.
- Consult your acquirer or payment brand: When in doubt, check with your acquiring bank or payment brand for guidance.
SAQ Completion and Attestation
- SAQ: Complete the questionnaire relevant to your environment.
- Attestation of Compliance (AOC): Sign and submit this form, confirming the accuracy of your SAQ and your eligibility for self-assessment.
- Maintain documentation: Keep evidence of compliance and remediation plans for any "No" answers.
Conclusion
Understanding and selecting the correct PCI DSS SAQ is essential for streamlined, effective compliance. By accurately mapping your payment environment to the right SAQ, you ensure that you meet PCI DSS requirements without unnecessary effort—reducing risk and supporting secure payment processing.
If you are unsure which SAQ applies to your business, consult your acquiring bank or a PCI DSS Qualified Security Assessor for guidance.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy