PCI DSS Self-Assessment Questionnaire (SAQ) Guide
The PCI DSS self-assessment questionnaire (SAQ) is how most merchants validate their compliance with payment card industry standards. Instead of undergoing a full on-site audit, eligible businesses complete the appropriate PCI DSS self-assessment questionnaire to demonstrate they meet all applicable security requirements. This guide explains each SAQ type, who qualifies, and how to complete the process correctly.
Getting the SAQ wrong creates real risk. For startups and SMBs accepting card payments for the first time, the PCI DSS self-assessment questionnaire process can feel overwhelming. Over 80% of Level 4 merchants use an SAQ rather than a full audit. Choosing the incorrect PCI DSS self-assessment questionnaire type can leave security gaps unexamined. Submitting an incomplete SAQ can trigger fines from your acquiring bank or payment processor.
What Is a PCI DSS Self-Assessment Questionnaire?
The PCI DSS SAQ is a validation tool developed by the PCI Security Standards Council (PCI SSC). It allows merchants and service providers who handle relatively low volumes of card transactions, or who have outsourced most card processing functions, to self-certify their compliance without hiring a Qualified Security Assessor (QSA).
The SAQ contains yes/no questions that map directly to PCI DSS requirements. Each question corresponds to a specific control. Answering "yes" means you have implemented that control. Answering "no" means you have a gap that must be remediated before you can attest to compliance.
The SAQ also includes an Attestation of Compliance (AOC), a formal declaration signed by an authorized company officer confirming that the assessment is accurate and complete.
PCI DSS SAQ Types Explained
There are nine SAQ types under PCI DSS 4.0. Each applies to a specific merchant or service provider environment. The type you need depends on how you accept, process, store, and transmit cardholder data.
SAQ A: Card-Not-Present, Fully Outsourced
Who qualifies: E-commerce or mail/telephone-order merchants who have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers. No electronic cardholder data storage, processing, or transmission on merchant systems.
Number of requirements: 22 questions
Common use case: An online store that uses Stripe Checkout or PayPal hosted payment pages. The merchant website redirects customers to the payment provider's domain for card entry. No card data ever touches the merchant's servers.
SAQ A-EP: E-Commerce with Partial Outsourcing
Who qualifies: E-commerce merchants who outsource payment processing but whose website controls how the payment page is delivered to customers. The merchant website hosts JavaScript or an iframe from the payment processor, meaning a website compromise could affect cardholder data.
Number of requirements: 191 questions
Common use case: A website using Stripe Elements or Braintree Drop-in UI embedded directly on the merchant checkout page. The card data goes directly to the processor, but the merchant page controls the form rendering.
SAQ B: Imprint or Standalone Dial-Out Terminals
Who qualifies: Merchants using only imprint machines or standalone dial-out payment terminals with no electronic cardholder data storage. No internet-connected payment processing.
Number of requirements: 41 questions
Common use case: A small retail shop using a standalone credit card terminal that connects directly to the processor via phone line, with no connection to the store's computer network or internet.
SAQ B-IP: Standalone IP-Connected Terminals
Who qualifies: Merchants using only standalone PTS-approved point-of-interaction (POI) terminals connected to the payment processor via IP. No electronic cardholder data storage. Terminals are not connected to any other systems in the merchant environment.
Number of requirements: 82 questions
Common use case: A restaurant using a countertop payment terminal that connects to the processor over the internet but is segmented from the restaurant's Wi-Fi and business network.
SAQ C-VT: Virtual Terminal, No Electronic Storage
Who qualifies: Merchants who manually enter a single transaction at a time via a virtual terminal provided by their payment processor. Virtual terminal accessed via the merchant's internet-connected computer. No electronic cardholder data storage.
Number of requirements: 79 questions
Common use case: A service business where an employee enters customer card numbers into a browser-based payment portal during phone orders, one transaction at a time.
SAQ C: Payment Application Connected to Internet
Who qualifies: Merchants with payment application systems (POS) connected to the internet, but no electronic cardholder data storage. The POS processes cards in real-time and sends data to the processor without storing it.
Number of requirements: 160 questions
Common use case: A retail store running a POS system that processes transactions over the internet and sends cardholder data directly to the payment processor.
SAQ P2PE: Hardware Payment Terminals with P2PE
Who qualifies: Merchants using only hardware payment terminals included in a validated PCI-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage. All payment processing handled by P2PE validated terminals.
Number of requirements: 33 questions
Common use case: A merchant using Verifone P2PE-validated terminals where card data is encrypted at the point of interaction and decrypted only by the payment processor.
SAQ D for Merchants: All Other Merchants
Who qualifies: All merchants that do not qualify for any other SAQ type. This includes merchants that store cardholder data electronically, those with complex payment environments, or those that cannot segment their cardholder data environment.
Number of requirements: 329 questions
Common use case: A large retailer that stores cardholder data for recurring billing, or a merchant with a complex multi-channel payment environment.
SAQ D for Service Providers
Who qualifies: Service providers eligible to self-assess (processing fewer than 300,000 transactions annually for Visa, or as determined by each payment brand). Covers all PCI DSS requirements applicable to the service provider's environment.
Number of requirements: 329 questions
How to Choose the Right PCI DSS Self-Assessment Questionnaire
Selecting the wrong SAQ type is one of the most common PCI compliance mistakes. Follow this decision process:
- Map your cardholder data flow. Document every point where card data enters, moves through, and exits your systems. Include third-party processors, gateways, and hosted payment pages.
- Identify your merchant category. Are you e-commerce only, brick-and-mortar, both, or mail/telephone order?
- Determine if you store cardholder data electronically. If yes, you likely need SAQ D.
- Evaluate your outsourcing level. The more payment functions you outsource to PCI-compliant providers, the simpler your SAQ type.
- Confirm with your acquiring bank. Your acquirer has final authority over which SAQ type applies to your business.
SAQ Comparison at a Glance
| SAQ Type | Questions | Card Storage | Environment | |----------|-----------|--------------|-------------| | A | 22 | None | Fully outsourced (e-commerce/MOTO) | | A-EP | 191 | None | E-commerce, partial outsource | | B | 41 | None | Imprint/dial-out terminals | | B-IP | 82 | None | Standalone IP terminals | | C-VT | 79 | None | Virtual terminal only | | C | 160 | None | POS connected to internet | | P2PE | 33 | None | P2PE validated terminals | | D (Merchant) | 329 | Possible | All other merchants | | D (SP) | 329 | Possible | Service providers |
Steps to Complete a PCI DSS Self-Assessment Questionnaire
Step 1: Scope Your Cardholder Data Environment
Identify every system component that stores, processes, or transmits cardholder data, plus every system connected to those components. This defines your cardholder data environment (CDE). Network segmentation can reduce scope by isolating the CDE from the rest of your network.
Step 2: Remediate Gaps
Before filling out the SAQ, address any known gaps. Common issues include:
- Missing encryption on stored data
- Weak password policies
- Lack of access controls
- Missing audit logs
- Unpatched systems in the CDE
Step 3: Answer Each Question Honestly
Go through every question in your applicable SAQ. For each control:
- Yes: The control is fully implemented
- Yes with CCW (Compensating Control Worksheet): The control is met through an alternative method documented in a CCW
- No: The control is not implemented (must be remediated)
- N/A: The control does not apply to your environment (must be justified)
Step 4: Complete the Attestation of Compliance
The AOC is a formal document that accompanies your SAQ. It must be signed by an authorized officer of your organization confirming the accuracy of the self-assessment.
Step 5: Submit to Your Acquiring Bank
Send the completed SAQ and AOC to your acquiring bank or payment brand as required. Keep copies for your records. Most acquirers require annual SAQ submission. Non-compliance fines range from $5,000 to $100,000 per month depending on the payment brand and violation severity.
Common PCI DSS Self-Assessment Questionnaire Mistakes
Choosing SAQ A when you should use SAQ A-EP. If your e-commerce site hosts any JavaScript from the payment processor (even an iframe), you likely need SAQ A-EP, not SAQ A. The distinction matters because SAQ A-EP requires vulnerability scanning and penetration testing that SAQ A does not.
Marking questions N/A without justification. Every N/A answer must include a reason. Auditors and acquirers flag SAQs with excessive unexplained N/A responses.
Forgetting third-party compliance verification. If you outsource payment functions, you must verify that your service providers are PCI DSS compliant. Request their AOC or check the Visa Global Registry of Service Providers.
Treating the SAQ as a one-time exercise. PCI DSS compliance is continuous. Your SAQ must be updated annually, and the controls it validates must be maintained year-round.
Frequently Asked Questions
Who needs to complete a PCI DSS SAQ?
Any merchant or service provider that handles payment card data and is not required to undergo a full on-site assessment by a QSA. Your acquiring bank determines whether you can self-assess or need a QSA-led audit, typically based on your annual transaction volume.
How long does it take to complete a PCI DSS self-assessment questionnaire?
SAQ A can be completed in a few hours if your payment environment is truly outsourced. SAQ D can take weeks or months depending on the complexity of your environment and the number of gaps requiring remediation. Most mid-complexity SAQs (B-IP, C-VT, C) take one to two weeks.
What happens if you fail the PCI DSS self-assessment questionnaire?
You cannot technically "fail" an SAQ since it is a self-assessment. However, if you answer "No" to any question without a compensating control, you are not compliant. Your acquiring bank may require a remediation plan, impose higher processing fees, or in severe cases, revoke your ability to accept card payments.
How often must the PCI DSS self-assessment questionnaire be completed?
The SAQ must be completed annually. Additionally, you must revalidate compliance whenever there are significant changes to your payment environment, such as switching payment processors, adding new payment channels, or changing how you store cardholder data.
Can a QSA help with the PCI DSS self-assessment questionnaire?
Yes. Many organizations hire a QSA to guide them through the SAQ process, especially for complex SAQ types like A-EP or D. The QSA can help with scoping, gap assessment, and remediation planning. This is called a QSA-assisted SAQ and is different from a full Report on Compliance (ROC).
