Glossary

What is a Self-Assessment Questionnaire (SAQ)?

What is a Self-Assessment Questionnaire (SAQ)?

A Self-Assessment Questionnaire (SAQ) is a PCI DSS validation tool designed for merchants and service providers who are eligible to self-assess their compliance with the Payment Card Industry Data Security Standard. Instead of undergoing a full on-site audit by a Qualified Security Assessor (QSA), eligible organizations complete an SAQ to document their compliance status.

SAQ types

The PCI Security Standards Council provides multiple SAQ types, each designed for a specific merchant or service provider environment:

  • SAQ A — for merchants that have fully outsourced all cardholder data functions to PCI-compliant third parties (e-commerce with redirect or iframe)
  • SAQ A-EP — for e-commerce merchants that partially outsource payment processing but whose website may impact transaction security
  • SAQ B — for merchants using only imprint machines or standalone dial-out payment terminals
  • SAQ B-IP — for merchants using standalone PTS-approved payment terminals connected via IP
  • SAQ C — for merchants with payment application systems connected to the internet
  • SAQ C-VT — for merchants manually entering single transactions via a virtual terminal on an isolated computer
  • SAQ D — the most comprehensive questionnaire, for merchants and service providers that do not qualify for any other SAQ type
  • SAQ P2PE — for merchants using validated point-to-point encryption solutions

Determining which SAQ applies

The correct SAQ depends on how your organization processes, stores, and transmits cardholder data. Key factors include:

  • Whether you store cardholder data or only transmit it
  • Whether payment processing is fully outsourced
  • What types of payment channels you use (e-commerce, point-of-sale, mail/telephone)
  • Whether you use validated P2PE solutions

Selecting the wrong SAQ type can lead to either unnecessary work (choosing a more restrictive SAQ) or inadequate coverage (choosing one that does not address your actual risk).

What the SAQ contains

Each SAQ includes:

  • Questions aligned to PCI DSS requirements — the number of questions varies by SAQ type, from approximately 22 (SAQ A) to over 300 (SAQ D)
  • Response options — yes, no, N/A, or compensating control for each requirement
  • Compensating control documentation — if a requirement cannot be met directly, a compensating control worksheet documents the alternative approach
  • Attestation of Compliance (AOC) — a formal statement signed by the organization's executive management attesting to the accuracy of the SAQ

Who requires SAQs

Acquiring banks and payment brands determine whether a merchant or service provider must submit an SAQ based on transaction volume:

  • Level 1 merchants (highest transaction volumes) typically require an on-site assessment by a QSA rather than an SAQ
  • Level 2-4 merchants are generally eligible for self-assessment via SAQ
  • Requirements may vary by payment brand (Visa, Mastercard, etc.)

Common challenges

Organizations often encounter challenges with SAQs:

  • Difficulty determining the correct SAQ type
  • Incomplete understanding of the cardholder data environment
  • Gaps between the organization's actual practices and SAQ requirements
  • Lack of documentation to support "yes" answers

How episki helps

episki guides you through SAQ selection based on your payment processing environment and helps you document controls and evidence for each applicable requirement. The platform tracks completion status and flags gaps before submission. Learn more on our PCI DSS compliance page.

Related frameworks

pci

Related terms

pci-dssqsacardholder-data-environmentpci-scopepan

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo