PCI SAQ, SAQ
George Mateaki
Security Analyst
(CISSP,  CISA, QSA, PA-QSA)

Prove your payment card security to your bank through an SAQ.

PCI SAQ, SAQA PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant’s statement of PCI compliance. It’s a way to show that you're taking the security measures needed to keep cardholder data secure at your business.


Each SAQ includes a list of security standards that businesses must review and follow. PCI SAQs vary in length. SAQ A is the shortest with just 22 questions, and the longest is SAQ D with 329 questions.

SEE ALSO: What are the 12 Requirements of PCI DSS Compliance?

Determining which SAQ is appropriate for you

There are 9 different SAQs a merchant can choose from. How you process credit cards and handle cardholder data determines which SAQ your business needs to fill out. For example, if you don't have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you do have a storefront that processes credit cards through the Internet and you also store customer credit card data, you're probably an SAQ D merchant.

SEE ALSO: Updating to PCI 3.2 SAQs: The Changes You Should Know

Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:


    SAQ, PCI SAQ
  • SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data transmission, processing, or storage. Not for e-commerce environments.
  • SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce environments.
  • SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce environments.
  • SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
  • SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage. 
  • SAQ D for Merchants is for merchants that do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically. 
  • SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.

This table gives more detail about each of the PCI DSS 3.2 SAQ types:

Watch this video to learn what you should know before you begin filling out your PCI questionnaire.



Why is this a requirement?

The Self-Assessment Questionnaire isn’t just a roadmap to compliance; it’s a roadmap to better security. Filling out a PCI SAQ is the best way to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide a PCI SAQ as proof of payment security.

SEE ALSO: PCI FAQ

Remember that no matter your SAQ type, you're still required to follow ALL the PCI DSS standards. Doing so may require vulnerability scans, penetration tests, and/or audits.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.