Understanding which Self Assessment Questionnaire (SAQ) is right for your business is a vital but complex task. Here, we explain each of the 9 possible SAQs to help you make the right decision.

Before we dive into the different SAQs available, let’s take a step back and look at the background of PCI DSS briefly and whether you may actually require an ROC instead of SAQ:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards developed by the major credit card issuers in the world - Visa, MasterCard, American Express, Discover and JCB. It is administered by the PCI Security Standards Council and serves organizations   who work with and are associated with payment cards. These are merchants, financial institutions, point of sale vendors ect.

It's important to note that depending on the credit card issuer (VISA, MasterCard, JCB, Amex, Diner etc) scheme a merchant avails of, an SAQ alone is not enough. A Report on Compliance (ROC) may have to be completed. This is a formal audit performed by a Qualified Security Assessor (QSA). The ROC is produced during an onsite PCI DSS assessment and covers all processes related to credit card collection, storage, transmission, destruction and more. Because of the complexity and importance of the audit, we will cover it in a standalone blog post soon.

Not sure whether you require an ROC or SAQ?  Speak to our experts. 

However, smaller merchants and service providers are not required to undergo a full audit on compliance with a QSA and sumit a ROC. Instead, they have to fill out a Self Assessment Questionnaire (SAQ). It is a self-validation tool meant to assist in the evaluation of PCI DSS compliance levels. The PCI Council have developed multiple versions of SAQs for different scenarios each containing questions relevant to a specific type of merchant environment.

Regardless of what you have to complete (SAQ or ROC) the same PCI DSS requirements apply. The main difference is that SAQs can be autonomously completed while ROCs are reported by QSAs upon completion of a full PCI DSS audit.

Understanding which SAQ is right for your business

There are a total of 9 SAQs and determining which one is appropriate for your company might be challenging. Generally, it will depend on the way you process credit cards and handle cardholder data. Note, that the PCI Council frequently releases updates to the requirements and for now, the latest update (PCI DSS version 3.2.1) was published in May 2018. You can find the document library regarding SAQs on the official PCI Council website.

As stated above, you must choose the SAQ that is right for your processing environment. All SAQs except SAQ D, have a common factor, none of them allow for electronic storage of cardholder data. Here is the breakdown of all SAQs and explanation on who should complete which one: 

  1. SAQ A is for e-commerce/mail/telephone-order (card not present) merchants and is not applicable to face-to-face channels. If your business has fully outsourced all cardholder functions (for example by redirecting payment card processing to a PCI DSS compliant service provider or by using an IFRAME) and does not store, process or transmit any cardholder data this SAQ is the one you should fill out.
  2. SAQ A-EP is slightly different from the SAQ A and it is dedicated to those e-commerce-only merchants who do not directly receive cardholder data but that might affect the confidentiality of these payment transactions. Often, merchants falling in this category, partially outsource payment processing to other PCI DSS compliant service providers to which they connect their e-commerce websites using techniques such as the direct post or similar techniques that facilitate the transmission of cardholder data. This specific SAQ takes into account specifics and additional security threats and require consequently more effort.
  3. SAQ B is for merchants who use imprint machines and/or standalone, dial-out terminals and have no electronic cardholder data transmission, processing and storage. This SAQ is applicable only to face-to-face channels and not to e-commerce merchants.
  4. SAQ B-IP is for merchants who use only standalone, PTS (PIN Transactions Security) devices with an IP connections to the payment processor, and that have electronic cardholder storage. This SAQ covers terminals that are network based whereas SAQ B is for terminals that transmit data via dial-up.
  5. SAQ C-VT is for merchants who manually enter a single transaction at a time with a keyboard into an Internet-based, virtual payment terminal hosted by a third-party service provider. These merchants do not store any cardholder data. (Not applicable to e-commerce merchants).
  6. SAQ C is for is for merchants with a payment application connected to the Internet, but with no electronic cardholder data storage. (Not applicable to e-commerce merchants).
  7. SAQ P2PE is for merchants who use approved point-to-point encryption (P2PE) devices, with no electronic card data storage. P2PE is a service provided by a third party and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe) until the data reaches the solution provider’s secure decryption environment.
  8. SAQ D for Merchants is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.
  9. SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.

Depending on the complexity of the processing environment, SAQs contain different number of questions. We have counted them for you, so you know what to expect:

PCI DSS SAQs questions

Any business owner today cares about security. This doesn’t make them a security expert. The language used in the different questionnaires, choosing the correct one and knowing how to complete them is challenging. Often this challenge is an addition to an already packed day-to-day. If you are a business owner who needs to become compliant in a secure yet efficient manner, we can help. The ZeroRisk PCI Portal through a user friendly interface and simple questions selects the right SAQ with you and guides you through the completion without you having to become a security expert in the process! 

Learn more about becoming  PCI DSS compliant with zero effort 


Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA