PCI DSS SAQ Wizard

Find the right Self-Assessment Questionnaire for your business based on how you process payments

Business Type

PCI Level

Payment Methods

Step 1: Business Type

1 2 3

Understanding SAQs

Self-Assessment Questionnaires (SAQs) are validation tools for eligible merchants and service providers who self-assess their PCI DSS compliance. Different SAQs exist for various business environments, with varying complexity:

SAQ A: Simplest (22 requirements) - For fully outsourced card processing
SAQ B/B-IP: For merchants using only standalone terminals
SAQ C/C-VT: For merchants with payment systems connected to the internet
SAQ A-EP: For e-commerce merchants with partial outsourcing
SAQ D: Most complex (329 requirements) - For merchants storing card data or with complex environments

Step 1: Identify Business Type

Service Providers

Select this option

Organizations that process, store, or transmit cardholder data on behalf of other businesses.

Merchants

Select this option

Businesses that accept payment cards directly from customers for goods or services.

Step 2: Estimate PCI Level

Your level determines your validation requirements based on transaction volume.

Please select a business type in Step 1 to see the appropriate level options.

Level 4 Merchant

SAQ eligible

Less than 20,000 e-commerce or 1 million total transactions annually

Level 3 Merchant

SAQ eligible

20,000 to 1 million e-commerce transactions annually

Level 2 Merchant

SAQ eligible

1 million to 6 million total transactions annually

Level 1 Merchant

ROC required

More than 6 million transactions annually or had a data breach

Level 2 Service Provider

SAQ D-SP eligible

Less than 300,000 transactions annually

Level 1 Service Provider

ROC required

More than 300,000 transactions annually

Unknown / Not Sure

Skip level check

Continue to determine your SAQ type without level verification

Step 3: Payment Environment & Channel Analysis

Answer these questions about your payment environment and select your payment channels to determine the appropriate SAQ.

Storage of Electronic Payment Account Data

Does merchant store any account data, including legacy data?

PCI-listed P2PE Solution

Does merchant accept transactions protected by a PCI-listed P2PE Solution?

PCI-listed SPoC Solution

Does merchant accept transactions protected by a PCI-listed SPoC Solution?

Card-present Transactions

Physical card transactions using terminals, POS systems, or imprint machines

How do you process card-present transactions?

Via imprint or dial-out machines, no Internet

Does merchant accept card-present transactions with no storage of payment account data?

SAQ B

Via PTS approved devices with Internet

Via PTS approved devices with Internet connection (AND/OR)

SAQ B-IP

Via payment app on POS or PC with Internet connection

Via payment app on POS or PC with Internet connection (AND/OR)

SAQ C

Via merchant's web-browser sending to third party's \"virtual payment terminal solution\"

Via merchant's web-browser sending to third party's \"virtual payment terminal solution\" (AND/OR)

SAQ C-VT

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider. No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A

MOTO Transactions

Mail Order/Telephone Order transactions where cards are not physically present

How do you process MOTO (Mail Order/Telephone Order) transactions?

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider

Does merchant accept MOTO transactions with no storage of payment account data? Via payment functions completely outsourced to a PCI DSS compliant third-party service provider. No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A

Via imprint or dial-out machines, no Internet

Via imprint or dial-out machines with no Internet connection (AND/OR)

SAQ B

Via PTS approved devices with Internet

Via PTS approved devices with Internet connection (AND/OR)

SAQ B-IP

Via payment app on POS or PC with Internet connection

Via payment app on POS or PC with Internet connection (AND/OR)

SAQ C

Via merchant's web-browser sending to third party's \"virtual payment terminal solution\"

Via merchant's web-browser sending to third party's \"virtual payment terminal solution\" (AND/OR)

SAQ C-VT

E-commerce Transactions

Online transactions through websites or mobile apps

How do you process e-commerce transactions?

Via payment functions completely outsourced to a PCI DSS compliant third-party service provider

Does merchant accept e-commerce transactions? Via payment functions completely outsourced to a PCI DSS compliant third-party service provider, including all elements of the payment page (for example, via URL redirect or iframe). No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A

Via payment functions partially outsourced to a PCI DSS compliant third-party service provider

Via payment functions partially outsourced to a PCI DSS compliant third-party service provider, where merchant website delivers some elements of the payment page (for example, via Direct Post or JavaScript). No electronic account data is stored, processed, or transmitted on merchant systems or premises.

SAQ A-EP

Via systems managed by the merchant

Via systems managed by the merchant where payment processing is handled directly on merchant systems.

SAQ D

Card-present Transactions

Select the SAQ that best matches your card-present payment environment:

SAQ A

Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

SAQ B

Merchants using only:

Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage

SAQ B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor.

SAQ C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

SAQ C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

MOTO Transactions

Select the SAQ that best matches your MOTO payment environment:

SAQ A

MOTO merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

SAQ B

MOTO merchants using only:

Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage

SAQ C-VT

MOTO merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution.

E-commerce Transactions

Select the SAQ that best matches your e-commerce payment environment:

SAQ A

E-commerce merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers (including all elements of the payment page).

Examples: Complete redirect or iFrame solutions where no cardholder data is transmitted, processed, or stored on merchant systems.

SAQ A-EP

E-commerce merchants that partially outsource payment processing to a PCI DSS compliant third-party service provider, but where the merchant's website affects the security of the payment transaction.

Examples: Direct Post or JavaScript form solutions where the merchant's website delivers some elements of the payment page.

SAQ D for Merchants

E-commerce merchants with systems that process, store, or transmit cardholder data.

Examples: Merchant-managed payment systems where cardholder data is processed on the merchant's systems.

Level 2 Service Provider Validation Requirements

You need to comply with PCI DSS SAQ D for service providers requirement.

https://withpci.com

As a Level 2 service provider which processes, stores, or transmits cardholder data on behalf of other businesses, you need to comply with PCI DSS SAQ D for service providers requirement.

Level 2 Service Providers

Service providers that process less than 300,000 transactions annually can complete SAQ D for Service Providers.

Scope

All systems and processes in your cardholder data environment

Implementation Difficulty

High

Key Requirements

Covers all 12 PCI DSS requirements including network security, encryption, access controls, monitoring, testing, and security policies specific to service providers.

Check SAQ D for Service Providers

Level 1 Service Providers

Service providers that process more than 300,000 transactions annually must complete a full Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA).

SAQs cannot be used for Level 1 Service Providers.

Learn More About ROC Requirements

Full Report on Compliance (ROC) Required

Level 1 merchants must complete a full Report on Compliance (ROC).

https://withpci.com

Level 1 merchants must complete a full Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). SAQs cannot be used for Level 1 merchants.

Learn More About ROC Requirements

Your Applicable SAQ(s)

Compliance Path Identified

Based on your selections, we've identified the appropriate Self-Assessment Questionnaire(s) for your business.

https://withpci.com

Important Notes:

Merchants with more than one payment channel should consult with their compliance-accepting entities (for example, payment brands and acquirers) about validation and reporting requirements.
Merchants must meet all eligibility criteria for any applicable SAQ.
For detailed eligibility criteria for each SAQ, please refer to the PCI Security Standards Council website.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.