Guide · PCI DSS v4.0 · SAQ C

SAQ C: who qualifies, what it covers, and how to confirm it

SAQ C is written for merchants whose card processing runs through payment-application systems connected to the internet, with no electronic storage of cardholder data. It’s the questionnaire for software-driven, in-person payment setups: more involved than a standalone terminal, still well short of SAQ D. Here’s who fits, the C-VT and B-IP boundaries, and how to confirm it.

Plain-English · SAQ C eligibility · Free 2-minute check

Once payment software enters your environment, a till application, a tablet checkout, a payment app on a PC, PCI DSS starts caring about the systems it runs on and the network they sit on. SAQ C is the reduced questionnaire for exactly that setup, and it stays available on one condition: nothing you run stores cardholder data electronically.

Who SAQ C fits

SAQ C is one of the eight PCI DSS Self-Assessment Questionnaires published by the PCI Security Standards Council (PCI SSC). Completing one ends in a signed Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands. SAQ C is the version for merchants running payment software, and it tends to sound like this:

The common thread: software you operate processes card data on internet-connected systems, and nothing in your environment stores cardholder data electronically. If that’s not quite your picture, the guide to all 8 SAQ types maps every acceptance pattern to its questionnaire.

The exact eligibility criteria

Per the PCI SSC’s SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ C is for merchants with payment-application systems connected to the internet, with no electronic storage of cardholder data. Unpacked:

As with every SAQ, the document opens with an eligibility checklist you attest to item by item, and your signature on the AOC says the checklist is true. Answer it against how things actually run.

Find your SAQ free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it gives you a defensible starting point before you talk to your bank.

What disqualifies you: the adjacent-SAQ traps

SAQ C borders C-VT on one side, B-IP on the other, and SAQ D underneath everything. Four things to check before you attest:

A person keys everything into a hosted page: that’s SAQ C-VT

The boundary between SAQ C and SAQ C-VT is who does the processing. If your only card processing is someone typing one transaction at a time into an isolated, third-party-hosted virtual terminal, C-VT is the narrower questionnaire written for you. SAQ C assumes software in your environment processes cards; C-VT assumes a person and a browser. If no payment application runs on your systems, don’t take on SAQ C’s extra ground.

Standalone terminals with no software in the path: that’s SAQ B-IP

If cards are taken only on standalone, PTS-approved terminals with an IP connection to the processor, and no payment application touches the transaction, you’re describing SAQ B-IP. The line is hardware versus software: a standalone device talking straight to the processor points to B-IP; a payment-application system points to C. A terminal integrated with your POS software has already left “standalone” behind, which is usually where the SAQ C conversation starts. And if the terminals dial out over a phone line instead, that’s SAQ B.

Your application, or anything else, stores card data: the SAQ D override

This is the override that outranks every reduced SAQ. If the payment application keeps card numbers in a database or writes them into logs, or anyone saves them in a spreadsheet or call recording, SAQ D generally applies. Worth confirming with your software vendor exactly what the application retains before you attest to storing nothing: “we never look at it” and “it isn’t stored” are different claims.

You sell online too

A checkout page on your website points to SAQ A or SAQ A-EP territory, and keyed phone orders point to SAQ C-VT. If you accept cards through more than one channel, your validation can span more than one SAQ, and your acquiring bank tells you how to submit the whole picture.

What you answer, at a high level

Every SAQ draws from the same standard: the 12 PCI DSS requirements, organized under six goals (secure networks and systems, protect account data, vulnerability management, access control, monitoring and testing, and an information security policy). You’re validating against PCI DSS v4.0: v3.2.1 retired on March 31, 2024, and v4.0’s future-dated requirements became mandatory on March 31, 2025.

Because payment software runs on internet-connected systems you operate, expect SAQ C to reach across more of those goals than the standalone-terminal questionnaires do:

We don’t quote question counts, because the exact set varies by SAQ version. The honest summary: SAQ C asks more than B, B-IP, or C-VT because software and a network are in the card’s path, and it stays well short of SAQ D as long as nothing stores cardholder data.

How to confirm SAQ C is yours

Eligibility is defined by the PCI SSC, but the confirmation isn’t yours to make alone. Your acquiring bank or the card brands assign your validation level from your annual card volume and confirm which questionnaire they’ll accept. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead.

If your setup has an ambiguous edge, a POS integration you’re not sure counts, a vendor whose storage behavior you can’t pin down, a Qualified Security Assessor can rule on it formally. And if you want a defensible starting point before either conversation, our free check asks how you accept cards and computes your likely SAQ on screen in about two minutes, no email needed to see the result. It’s indicative, not a QSA assessment, and it’s built to make the bank conversation shorter.

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee. The $1,495 also credits toward a first month of an Aegis AI subscription at ai4ciso.ai.

Frequently asked questions

What is SAQ C?

SAQ C is a PCI DSS Self-Assessment Questionnaire for merchants whose card processing runs through payment-application systems connected to the internet, with no electronic storage of cardholder data. Completing it ends in a signed Attestation of Compliance submitted to your acquiring bank or the card brands.

What is the difference between SAQ C and SAQ C-VT?

Who does the processing. SAQ C assumes a payment-application system in your environment processes cards. SAQ C-VT assumes a person types each transaction, one at a time, into a virtual terminal hosted by a validated third party, from an isolated computer. Software in the path points to SAQ C; hand-keyed entry into a hosted page points to C-VT.

What is the difference between SAQ C and SAQ B-IP?

Software versus hardware. SAQ B-IP covers standalone, PTS-approved terminals that talk straight to the processor over an IP connection, with no payment software in the path. SAQ C covers payment-application systems, software running on systems you operate. A terminal integrated with POS software is no longer standalone, which usually moves the conversation to SAQ C.

My payment application stores card numbers. Am I still SAQ C?

Generally no. Electronic storage of cardholder data, in a database, file, log, spreadsheet, or call recording, means the reduced SAQs no longer apply and SAQ D generally does. It’s worth confirming with your software vendor exactly what the application retains before you attest to storing nothing.

Does SAQ C cover e-commerce?

SAQ C is written for payment-application systems connected to the internet, typically in-person environments. E-commerce channels point to SAQ A for fully outsourced setups, SAQ A-EP for partially outsourced ones, or SAQ D. Confirm with your acquiring bank.

Who confirms which SAQ I complete?

Eligibility is defined by the PCI Security Standards Council, and your acquiring bank or card brand confirms which questionnaire to submit and your validation level. Our free check shows your likely SAQ on screen in about two minutes; it’s indicative, not a QSA assessment.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. SAQ eligibility is defined by the PCI SSC and confirmed by your acquiring bank or a Qualified Security Assessor. Our free check is indicative, not a QSA assessment.