Prove your payment card security to your bank through an SAQ.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
A PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant’s statement of compliance. It’s basically proof that you’re doing what you’re supposed to be doing, security-wise.

pci standards, pci saq pci-dss saqEssentially, a PCI questionnaire is a list of security standards that businesses must review and follow. Depending on how you process credit cards, (and depending on how secure that method of processing is) you may be required to fill out a PCI SAQ A (14 questions) down to a PCI SAQ D (329 questions).

Determining which SAQ is appropriate for you

There are 9 different SAQs a merchant must choose from, depending on the way you process, store, or handle credit and debit cards. For example, if you do not have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A EP. If you have a storefront that processes credit cards through the Internet and you also store customer credit card data, you are probably an SAQ D merchant.

SEE ALSO: Updating to PCI 3.2 SAQs: The Changes You Should Know

Here’s the entire list of PCI SAQs.

  • A: E-commerce merchants that fully outsource payment processing
  • A EP: Merchants that partially outsource e-commerce
  • B: Merchants connected to phone line terminal
  • B IP: Merchants with standalone IP-connected processing terminals
  • CVT: Merchants that only process via virtual terminal on one computer
  • C: Merchants connected to Internet with no electronic storage
  • D Merchant: Merchants that store payment card data electronically
  • D Service Provider: Service providers that store card data
  • P2PE-HW: Merchants that only use P2PE-validated processing terminals
Watch this video to learn what you should know before you begin filling out your PCI questionnaire.

Why is this a requirement?

The Self-Assessment Questionnaire isn’t just a roadmap to compliance, it’s a roadmap to great security! Filling out a PCI SAQ is the best way to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide their SAQ as proof of payment security.


Remember that no matter your SAQ letter, you are still required to follow ALL the PCI DSS standards. If you find that some requirements are too technical, SecurityMetrics would love to help, or enlist the help of your IT guru.

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.


  1. One question this - as well as the rest of your site - does not answer is where I can get this SAQ A or whatever other questionnaire - is this just so you can sell more of $399/year plans to those who don't need them?

    1. Thanks for your comment! If you only need to access your questionnaire, just sign into your account at: Our pricing varies greatly depending on what you need. We also offer bank discounts. The price on the website is a sample package that you may not need based on how your business processes credit cards. We recommend calling 801.705.5665 and a compliance consultant can help out!