Guide · PCI DSS v4.0 · 8 SAQ types

Your PCI SAQ is the first thing your bank asks for. Here’s how to find yours.

A Self-Assessment Questionnaire (SAQ) is how most merchants show they meet PCI DSS. There are eight, and the one you use depends entirely on how you accept cards. Pick the right one and the rest of PCI gets a lot simpler. Guess wrong and you either do far more work than you owe, or hand your bank a questionnaire it won’t accept.

Plain-English · All 8 SAQ types · Free 2-minute check

Most merchants don’t fall short on PCI because they’re careless. They fall short because no one ever told them which SAQ they’re supposed to complete. This guide walks through all eight in plain language, and shows how the way you take payments points to yours.

What is a PCI SAQ?

A PCI Self-Assessment Questionnaire is a validation document from the PCI Security Standards Council (PCI SSC). You complete it to report how your business meets the PCI DSS requirements that apply to you. It’s a self-report, so no assessor fills it out for you, and when you finish it you sign an Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands.

There isn’t one SAQ. There are eight, each written for a different way of accepting cards. A shorter SAQ covers fewer requirements because you’ve handed more of the risk to a validated provider. A longer one covers more because more of the card data touches systems you control.

Why the right SAQ matters

Your acquiring bank and the card brands assign your validation level from your annual card volume, and the level sets how you validate. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead. Your bank confirms the level. What the SAQ decides is how much you have to answer.

That’s why guessing is expensive in both directions. Reach for SAQ D when you actually qualify for SAQ A and you’ll answer the full set of requirements you never owed. Claim SAQ A when card data really does touch your systems, and your bank sends it back, or worse, you attest to something that isn’t true. Knowing your SAQ first is what keeps the rest of the work honest and small.

Find your SAQ free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install.

All 8 PCI SAQ types, explained

Here is every SAQ, who it fits, and the qualifier that usually decides it. These definitions follow the PCI SSC SAQ Instructions and Guidelines for PCI DSS v4.0.

SAQWho it fitsKey qualifier
ACard-not-present merchants (e-commerce or mail/telephone order) that fully outsource all cardholder-data functions to PCI DSS-validated third parties.Your systems never store, process, or transmit cardholder data (for example, a processor-hosted payment page reached by redirect or iframe).
A-EPE-commerce merchants that partially outsource payment processing to a validated third party.Your website can affect the security of the transaction but doesn’t itself receive cardholder data (for example, a direct-post or JavaScript form that sends card data straight to the processor).
BMerchants using only imprint machines or standalone, dial-out terminals.No electronic storage of cardholder data.
B-IPMerchants using only standalone, PTS-approved payment terminals with an IP connection to the processor.No electronic storage of cardholder data.
C-VTMerchants who key one transaction at a time into an isolated, third-party-hosted virtual terminal.No electronic storage of cardholder data.
CMerchants with payment-application systems connected to the internet.No electronic storage of cardholder data.
P2PEMerchants using only a PCI SSC-listed point-to-point encryption (P2PE) solution.No electronic storage of cardholder data.
DEveryone else: SAQ D for Merchants (any merchant not eligible for a smaller SAQ) and SAQ D for Service Providers.Covers the full set of PCI DSS requirements.

One line runs through almost all of them: no electronic storage of cardholder data. The reduced SAQs, everything except D, assume you don’t keep card numbers in a database, spreadsheet, app log, or call recording. The moment a system you control stores cardholder data electronically, you’re generally in SAQ D, whatever channel you sell through.

How card acceptance maps to your SAQ

You don’t pick your SAQ by preference. It follows from how card data flows through your business. Four common patterns:

And the override that catches many merchants: if any system you control stores cardholder data electronically, none of the reduced SAQs apply and you complete SAQ D. Take cards more than one way? Your environment can span more than one SAQ, and your bank will tell you how to validate the whole picture.

Not sure which one is yours?

Most merchants can’t name their SAQ off the top of their head, and that’s normal. You don’t have to guess your way there, and you shouldn’t, because the wrong guess is what wastes the effort.

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap with the evidence an assessor will ask for. Intake-based, PDF in your inbox within hours.

Frequently asked questions

What is a PCI SAQ?

A PCI Self-Assessment Questionnaire (SAQ) is a validation document from the PCI Security Standards Council. A merchant or service provider completes it to report how it meets the applicable PCI DSS requirements. Which SAQ you use depends on how you accept payment cards.

Which PCI SAQ is easiest?

The fewer card-data functions you run yourself, the shorter your SAQ. SAQ A applies when you’ve fully outsourced all cardholder-data handling to validated third parties, so it asks the least of your own systems. SAQ D covers the full set of PCI DSS requirements, so it’s the longest.

Does storing card numbers change my SAQ?

Yes. Storing cardholder data electronically generally means you complete SAQ D, which covers the full set of PCI DSS requirements. The reduced SAQs assume you don’t store cardholder data electronically.

How many PCI SAQ types are there?

There are eight: SAQ A, A-EP, B, B-IP, C-VT, C, P2PE, and D. SAQ D also has a separate version for service providers.

Who decides which SAQ I complete?

Eligibility for each SAQ is defined by the PCI Security Standards Council based on how you accept cards. Your acquiring bank or card brand confirms which questionnaire you must submit and your validation level.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.