PCI DSS

PCI DSS Self-Assessment Questionnaire (SAQ)

A guide to the PCI DSS Self-Assessment Questionnaire types, which SAQ applies to your business, and how to complete the process.
Browse PCI DSS topics
PCI DSS Compliance LevelsPCI DSS RequirementsPCI DSS Scope ReductionPCI DSS Self-Assessment Questionnaire (SAQ)PCI DSS v4.0 Changes

What is a PCI DSS Self-Assessment Questionnaire?

The Self-Assessment Questionnaire (SAQ) is a validation tool provided by the PCI Security Standards Council for merchants and service providers who are not required to undergo a full on-site assessment by a Qualified Security Assessor (QSA). It allows organizations to self-evaluate their adherence to the PCI DSS requirements and report their compliance status to their acquiring bank or payment brand.

The SAQ is a critical component of PCI DSS compliance for the vast majority of merchants. While Level 1 merchants must complete a formal Report on Compliance (ROC), merchants at Levels 2 through 4 typically validate compliance through the appropriate SAQ type. Choosing the correct SAQ is one of the most important early decisions in your compliance journey.

SAQ types and eligibility

The PCI SSC publishes several SAQ types, each tailored to a specific payment processing environment. Selecting the wrong SAQ can result in wasted effort or gaps in your compliance validation.

SAQ A - Card-not-present merchants (fully outsourced)

SAQ A is the shortest and simplest questionnaire. It applies to e-commerce or mail/telephone-order merchants that have fully outsourced all cardholder data functions to PCI DSS-validated third-party service providers. Your website must not directly receive, process, store, or transmit cardholder data at any point.

Eligibility criteria:

  • All payment processing is entirely outsourced to validated third parties
  • Your website does not receive cardholder data, even transiently
  • No electronic storage, processing, or transmission of cardholder data on your systems
  • You have confirmed your third-party providers are PCI DSS compliant

SAQ A contains approximately 22 questions and focuses primarily on policies, procedures, and service provider management.

SAQ A-EP - E-commerce merchants with partial outsourcing

SAQ A-EP applies to e-commerce merchants that outsource payment processing but whose website could still impact the security of the payment transaction. This commonly applies when your website hosts the payment page but uses an iframe or redirect to a third-party processor, or when your site includes scripts that could be manipulated to capture cardholder data.

Eligibility criteria:

  • Payment processing is outsourced to a PCI DSS-validated third party
  • Your website does not receive cardholder data directly, but it can affect the security of the transaction
  • No electronic storage of cardholder data

SAQ A-EP is significantly longer than SAQ A, containing approximately 139 questions. It covers vulnerability scanning, penetration testing, and web application security, reflecting the risk that compromised website code could intercept payment data.

SAQ B - Imprint or standalone terminal merchants

SAQ B applies to merchants that process cardholder data only through imprint machines or standalone, dial-out payment terminals. These terminals must not be connected to the internet or any other systems in your environment.

Eligibility criteria:

  • Only imprint machines or standalone dial-out terminals are used
  • Terminals are not connected to the internet
  • No electronic cardholder data storage
  • No e-commerce channel

SAQ B contains approximately 41 questions and focuses primarily on physical security, terminal management, and policies.

SAQ C - Merchants with payment application systems

SAQ C applies to merchants that process cardholder data through payment application systems connected to the internet but do not store cardholder data electronically. This is common for brick-and-mortar retailers using point-of-sale systems with IP connectivity.

Eligibility criteria:

  • Payment application system is connected to the internet for payment processing
  • Payment application system is not connected to any other systems within the environment
  • The physical store and POS environment are not connected to other locations
  • No electronic cardholder data storage
  • No e-commerce channel

SAQ C contains approximately 160 questions and covers network segmentation, system hardening, access controls, and vulnerability management relevant to the payment application environment.

SAQ C-VT - Virtual terminal merchants

SAQ C-VT is a variant for merchants that manually enter a single transaction at a time through a virtual terminal provided by a PCI DSS-validated third-party service provider. This applies to call center or mail-order operations where an operator keys in card data via a web browser.

Eligibility criteria:

  • Payment processing occurs only via a virtual terminal accessed through a web browser
  • The virtual terminal is provided by a PCI DSS-validated service provider
  • No electronic cardholder data storage
  • No e-commerce channel

SAQ C-VT contains approximately 79 questions.

SAQ D - All other merchants and service providers

SAQ D is the most comprehensive questionnaire and serves as the catch-all for any merchant or service provider that does not meet the eligibility criteria for the other SAQ types. SAQ D comes in two versions: SAQ D for Merchants and SAQ D for Service Providers.

When SAQ D applies:

  • You store cardholder data electronically
  • You do not meet the eligibility criteria for any other SAQ type
  • Your acquiring bank or payment brand requires it
  • You are a service provider

SAQ D contains approximately 329 questions and covers all 12 PCI DSS requirements comprehensively. It essentially mirrors the scope of a full ROC assessment but is completed as a self-assessment.

How to determine your SAQ type

Choosing the correct SAQ requires a thorough understanding of how cardholder data flows through your environment:

  1. Map your payment flows - Document exactly how cardholder data enters, moves through, and exits your environment. Include all channels: e-commerce, in-store, phone orders, and mobile.
  2. Identify data touchpoints - Determine whether your systems receive, process, store, or transmit cardholder data at any stage.
  3. Evaluate your technology - Assess whether you use outsourced payment pages, iframes, redirects, standalone terminals, virtual terminals, or payment applications.
  4. Consult your acquirer - Your acquiring bank may have specific requirements or preferences regarding which SAQ type you should complete.
  5. Consider scope reduction - Techniques like tokenization, point-to-point encryption (P2PE), and network segmentation can simplify your environment and potentially qualify you for a shorter SAQ. See PCI DSS scope reduction for more detail.

Completing the SAQ

Once you have identified the correct SAQ type, the completion process involves several steps:

Gather evidence

For each applicable question, you will need to demonstrate that the corresponding control is in place. This includes policies, configuration screenshots, scan reports, access reviews, training records, and other artifacts. Automating evidence collection through a compliance platform reduces the time and effort required.

Answer each question

Every question in the SAQ requires one of four responses:

  • Yes - The control is fully in place
  • Yes with CCW - The control is in place with a compensating control worksheet
  • No - The control is not in place
  • N/A - The question does not apply to your environment (with justification)

Any "No" response indicates a gap that must be remediated before you can attest to compliance.

Compensating controls

If you cannot meet a specific requirement as stated, PCI DSS allows compensating controls that mitigate the associated risk to an acceptable level. Compensating controls must be documented in a Compensating Control Worksheet and meet specific criteria: they must address the risk of the original requirement, provide a similar level of defense, and go above and beyond other PCI DSS requirements.

Attestation of Compliance

After completing the SAQ, an authorized officer of the organization must sign the Attestation of Compliance (AOC), confirming the accuracy of the self-assessment. The completed SAQ and AOC are then submitted to your acquiring bank.

Common pitfalls

  • Selecting the wrong SAQ type - Choosing a simpler SAQ than your environment warrants leaves gaps in your validation and may result in non-compliance findings.
  • Incomplete scoping - Failing to account for all payment channels, third-party integrations, or data flows leads to an inaccurate assessment.
  • Point-in-time mindset - The SAQ validates your compliance posture at a moment in time, but PCI DSS v4.0 emphasizes continuous compliance. Build processes that maintain controls year-round.
  • Ignoring third-party risk - Even with outsourced payment processing, you remain responsible for ensuring your service providers maintain their PCI DSS compliance.

Organizations in the fintech industry often manage complex payment flows across multiple channels, making SAQ selection and scoping particularly important. A well-structured compliance program with automated evidence collection helps ensure that the SAQ process is efficient and accurate.

Related topics

compliance-levelsrequirementsscope-reduction

Related terms

What is GRC?What is PCI DSS?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough