Most merchants don’t fall short on PCI because they’re careless. They fall short because no one ever told them which SAQ they’re supposed to complete. This guide walks through all eight in plain language, and shows how the way you take payments points to yours.
What is a PCI SAQ?
A PCI Self-Assessment Questionnaire is a validation document from the PCI Security Standards Council (PCI SSC). You complete it to report how your business meets the PCI DSS requirements that apply to you. It’s a self-report, so no assessor fills it out for you, and when you finish it you sign an Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands.
There isn’t one SAQ. There are eight, each written for a different way of accepting cards. A shorter SAQ covers fewer requirements because you’ve handed more of the risk to a validated provider. A longer one covers more because more of the card data touches systems you control.
Why the right SAQ matters
Your acquiring bank and the card brands assign your validation level from your annual card volume, and the level sets how you validate. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead. Your bank confirms the level. What the SAQ decides is how much you have to answer.
That’s why guessing is expensive in both directions. Reach for SAQ D when you actually qualify for SAQ A and you’ll answer the full set of requirements you never owed. Claim SAQ A when card data really does touch your systems, and your bank sends it back, or worse, you attest to something that isn’t true. Knowing your SAQ first is what keeps the rest of the work honest and small.
Find your SAQ free, in about 2 minutes.
Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install.
All 8 PCI SAQ types, explained
Here is every SAQ, who it fits, and the qualifier that usually decides it. These definitions follow the PCI SSC SAQ Instructions and Guidelines for PCI DSS v4.0.
| SAQ | Who it fits | Key qualifier |
|---|---|---|
| A | Card-not-present merchants (e-commerce or mail/telephone order) that fully outsource all cardholder-data functions to PCI DSS-validated third parties. | Your systems never store, process, or transmit cardholder data (for example, a processor-hosted payment page reached by redirect or iframe). |
| A-EP | E-commerce merchants that partially outsource payment processing to a validated third party. | Your website can affect the security of the transaction but doesn’t itself receive cardholder data (for example, a direct-post or JavaScript form that sends card data straight to the processor). |
| B | Merchants using only imprint machines or standalone, dial-out terminals. | No electronic storage of cardholder data. |
| B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor. | No electronic storage of cardholder data. |
| C-VT | Merchants who key one transaction at a time into an isolated, third-party-hosted virtual terminal. | No electronic storage of cardholder data. |
| C | Merchants with payment-application systems connected to the internet. | No electronic storage of cardholder data. |
| P2PE | Merchants using only a PCI SSC-listed point-to-point encryption (P2PE) solution. | No electronic storage of cardholder data. |
| D | Everyone else: SAQ D for Merchants (any merchant not eligible for a smaller SAQ) and SAQ D for Service Providers. | Covers the full set of PCI DSS requirements. |
One line runs through almost all of them: no electronic storage of cardholder data. The reduced SAQs, everything except D, assume you don’t keep card numbers in a database, spreadsheet, app log, or call recording. The moment a system you control stores cardholder data electronically, you’re generally in SAQ D, whatever channel you sell through.
How card acceptance maps to your SAQ
You don’t pick your SAQ by preference. It follows from how card data flows through your business. Four common patterns:
- Fully outsourced e-commerce. Your customer types their card on a page hosted by your processor, reached by a redirect or an embedded iframe. Your own systems never see the number. That points to SAQ A.
- A card form on your own website. Your pages collect card details in a form, a direct-post or JavaScript form, that sends the data straight to the processor. Your site can affect the security of the transaction but doesn’t receive the card data itself. That points to SAQ A-EP.
- An in-person terminal. A standalone dial-out terminal or imprint machine points to SAQ B. A standalone, PTS-approved terminal with an IP connection to your processor points to SAQ B-IP. A validated point-to-point encryption solution from the PCI SSC list points to SAQ P2PE.
- A virtual terminal. Staff key one transaction at a time into an isolated, third-party-hosted web page. That points to SAQ C-VT. A payment application connected to the internet points to SAQ C instead.
And the override that catches many merchants: if any system you control stores cardholder data electronically, none of the reduced SAQs apply and you complete SAQ D. Take cards more than one way? Your environment can span more than one SAQ, and your bank will tell you how to validate the whole picture.
Not sure which one is yours?
Most merchants can’t name their SAQ off the top of their head, and that’s normal. You don’t have to guess your way there, and you shouldn’t, because the wrong guess is what wastes the effort.
Confirm your SAQ, then close the gaps.
The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap with the evidence an assessor will ask for. Intake-based, PDF in your inbox within hours.
Frequently asked questions
What is a PCI SAQ?
A PCI Self-Assessment Questionnaire (SAQ) is a validation document from the PCI Security Standards Council. A merchant or service provider completes it to report how it meets the applicable PCI DSS requirements. Which SAQ you use depends on how you accept payment cards.
Which PCI SAQ is easiest?
The fewer card-data functions you run yourself, the shorter your SAQ. SAQ A applies when you’ve fully outsourced all cardholder-data handling to validated third parties, so it asks the least of your own systems. SAQ D covers the full set of PCI DSS requirements, so it’s the longest.
Does storing card numbers change my SAQ?
Yes. Storing cardholder data electronically generally means you complete SAQ D, which covers the full set of PCI DSS requirements. The reduced SAQs assume you don’t store cardholder data electronically.
How many PCI SAQ types are there?
There are eight: SAQ A, A-EP, B, B-IP, C-VT, C, P2PE, and D. SAQ D also has a separate version for service providers.
Who decides which SAQ I complete?
Eligibility for each SAQ is defined by the PCI Security Standards Council based on how you accept cards. Your acquiring bank or card brand confirms which questionnaire you must submit and your validation level.
Related guides
This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.