PCI DSS Compliance Path Wizard

Find the right Self-Assessment Questionnaire for your business based on how you process payments

Business Type

PCI Level

Payment Methods

Step 1: Business Type

1 2 3

Understanding SAQs

Self-Assessment Questionnaires (SAQs) are validation tools for eligible merchants and service providers who self-assess their PCI DSS compliance. Different SAQs exist for various business environments, with varying complexity:

SAQ A: Simplest (22 requirements) - For fully outsourced card processing
SAQ B/B-IP: For merchants using only standalone terminals
SAQ C/C-VT: For merchants with payment systems connected to the internet
SAQ A-EP: For e-commerce merchants with partial outsourcing
SAQ D: Most complex (329 requirements) - For merchants storing card data or with complex environments

Step 1: Identify Business Type

Service Providers

Organizations that process, store, or transmit cardholder data on behalf of other businesses.

Merchants

Businesses that accept payment cards directly from customers for goods or services.

Step 2: Estimate PCI Level

Your level determines your validation requirements based on transaction volume.

Please select a business type in Step 1 to see the appropriate level options.

Level 4 Merchant

SAQ eligible

Less than 20,000 e-commerce or 1 million total transactions annually

Level 3 Merchant

SAQ eligible

20,000 to 1 million e-commerce transactions annually

Level 2 Merchant

SAQ eligible

1 million to 6 million total transactions annually

Level 1 Merchant

ROC required

More than 6 million transactions annually or had a data breach

Level 2 Service Provider

SAQ D-SP eligible

Less than 300,000 transactions annually

Level 1 Service Provider

ROC required

More than 300,000 transactions annually

Unknown / Not Sure

Skip level check

Continue to determine your SAQ type without level verification

Step 3: Payment Environment & Channel Analysis

Answer these questions about your payment environment and select your payment channels to determine the appropriate SAQ.

Storage of Electronic Payment Account Data

Does merchant store any account data, including legacy data?

PCI-listed P2PE Solution

Does merchant accept transactions protected by a PCI-listed P2PE Solution?

PCI-listed SPoC Solution

Does merchant accept transactions protected by a PCI-listed SPoC Solution?

Card-present Transactions

Does merchant accept card-present transactions not protected by a PCI-listed P2PE solution?

How do you process card-present transactions?

Via imprint or dial-out machines, no Internet

SAQ B

Via PTS approved devices with Internet

SAQ B-IP

Via payment app on POS or PC with Internet connection

SAQ C

Via merchant's web-browser sending to third party's "virtual payment terminal solution"

SAQ C-VT

MOTO Transactions

Does merchant accept Mail Order/Telephone Order transactions not protected by a PCI-listed P2PE solution?

How do you process MOTO (Mail Order/Telephone Order) transactions?

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider

No electronic CDH storage,processing, or transmission on merchant systems or premises.

SAQ A

Via imprint or dial-out machines, no Internet

SAQ B

Via PTS approved devices with Internet

SAQ B-IP

Via payment app on POS or PC with Internet connection

SAQ C

Via merchant's web-browser sending to third party's "virtual payment terminal solution"

SAQ C-VT

E-commerce Transactions

Does merchant accept e-commerce transactions?

How do you process e-commerce transactions?

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider

Including all elements of the payment page (for example, via URL redirect or iframe). No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A

Via payment functions partially outsourced to a PCI DSS compliant third-party service provider

Where merchant website delivers some elements of the payment page (for example, via Direct Post or JavaScript). No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A-EP

Via systems managed by the merchant

Where payment processing is handled directly on merchant systems.

SAQ D

Card-present Transactions

Select the SAQ that best matches your card-present payment environment:

SAQ A

Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

SAQ B

Merchants using only:

Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage

SAQ B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor.

SAQ C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

SAQ C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

MOTO Transactions

Select the SAQ that best matches your MOTO payment environment:

SAQ A

MOTO merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

SAQ B

MOTO merchants using only:

Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage

SAQ C-VT

MOTO merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

E-commerce Transactions

Select the SAQ that best matches your e-commerce payment environment:

SAQ A

E-commerce merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers (including all elements of the payment page).

Examples: Complete redirect or iFrame solutions where no cardholder data is transmitted, processed, or stored on merchant systems.

SAQ A-EP

E-commerce merchants that partially outsource payment processing to a PCI DSS compliant third-party service provider, but where the merchant's website affects the security of the payment transaction.

Examples: Direct Post or JavaScript form solutions where the merchant's website delivers some elements of the payment page.

SAQ D for Merchants

E-commerce merchants with systems that process, store, or transmit cardholder data.

Examples: Merchant-managed payment systems where cardholder data is processed on the merchant's systems.

Level 2 Service Provider Validation Requirements

You need to comply with PCI DSS SAQ D for service providers requirement.

https://withpci.com

As a Level 2 service provider which processes, stores, or transmits cardholder data on behalf of other businesses, you need to comply with PCI DSS SAQ D for service providers requirement.

Level 2 Service Provider Requirements

• Validation Method: Annual Self-Assessment Questionnaire (SAQ D) specifically for service providers

• QSA Requirement: Engaging a QSA or ISA is not mandated unless specified by a payment brand or acquiring bank

• Quarterly Scans: Network scans by an Approved Scanning Vendor (ASV)

• Penetration Testing: Annual penetration testing to identify vulnerabilities

• Attestation: Submit an Attestation of Compliance (AOC) documenting SAQ D completion

Details for Level 2 Service Provider

Level 1 Service Provider Requirements

• Validation Method: Annual Report on Compliance (ROC)

• QSA Requirement: Must be conducted by a Qualified Security Assessor (QSA)

• Quarterly Scans: Network scans by an Approved Scanning Vendor (ASV)

• Penetration Testing: Annual penetration testing to identify vulnerabilities

• Attestation: Submit an Attestation of Compliance (AOC) documenting ROC completion

Details for Level 1 Service Provider

Service Provider Requirements by Transaction Volume

Level 1 Service Providers (>300,000 transactions/year)

• Required: Annual Report on Compliance (ROC) conducted by a QSA

• Required: Quarterly ASV scans, annual penetration tests

Level 2 Service Providers (<300,000 transactions/year)

• Required: Annual SAQ D for service providers

• Note: QSA/ISA not required unless specified by payment brand

• Required: Quarterly ASV scans, annual penetration tests

Details for Level 1 Service Provider Details for Level 2 Service Provider

Full Report on Compliance (ROC) Required

Level 1 merchants must complete a full Report on Compliance (ROC).

https://withpci.com

Level 1 merchants must complete a full Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA). SAQs cannot be used for Level 1 merchants.

Level 1 Merchant Requirements

• Validation Method: Annual Report on Compliance (ROC)

• QSA Requirement: Engaging a QSA or ISA is required for compliance validation

• Quarterly Scans: Network scans by an Approved Scanning Vendor (ASV)

• Penetration Testing: Annual penetration testing to identify vulnerabilities

• Internal Scanning: Regular internal vulnerability assessments

• Attestation: Submit an Attestation of Compliance (AOC) documenting ROC completion

More Details for Level 1 Merchant

Compliance Path Identified

Based on your selections, we've determined the following.

https://withpci.com

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.