What is a SAQ (Self-Assessment Questionnaire)?
A Self-Assessment Questionnaire (SAQ) is the form a merchant fills in once a year to validate PCI DSS compliance themselves, instead of paying a QSA for an on-site audit. There are nine versions, each scoped to a different way of taking card payments — SAQ A (22 controls, the simplest) for fully outsourced acceptance, through to SAQ D with 329 controls. Picking the right one is the most important compliance decision you'll make.
A Self-Assessment Questionnaire (SAQ) is the document a merchant or service provider completes annually to attest to their own PCI DSS compliance. It's the self-validation route open to every merchant level except Level 1, which has to be assessed by a Qualified Security Assessor instead. The PCI Security Standards Council publishes nine SAQ versions and the right one for you depends entirely on how cardholder data flows through your business — from a 22-question SAQ A for fully outsourced e-commerce up to a 329-question SAQ D for everything that doesn't fit anywhere else. Each SAQ ships with a matching Attestation of Compliance (AoC), and both go to your acquiring bank.
The SAQ — sometimes called a PCI self-assessment or self-assessment questionnaire — isn't a single document. The nine versions cover everything from imprint machines to P2PE-validated terminals, and the gap between them is huge in practice: SAQ A is a short afternoon's work, SAQ D is weeks. Get it wrong and you'll either do far more than you need to, or you'll claim a compliance posture you can't actually demonstrate when an acquirer asks. Most of our clients land on SAQ A — across their phone channel, web checkout, and payment links — once they're on the platform.
What Is a Self-Assessment Questionnaire?
A Self-Assessment Questionnaire (SAQ) is a validation tool used by merchants and service providers to assess and report their compliance with PCI DSS. It is essentially a structured checklist of yes/no questions that correspond to the PCI DSS requirements applicable to your specific payment environment.
The SAQ is designed for organisations that are not required to undergo a full on-site assessment by a Qualified Security Assessor (QSA). This typically means Level 2, 3, and 4 merchants -- which covers the vast majority of businesses that accept card payments.
SAQ Types
There is not just one SAQ. The PCI Security Standards Council publishes several versions, each tailored to a specific type of payment environment. The SAQ type you need to complete depends on how your business handles card data.
SAQ A
For merchants that have fully outsourced all card data processing to PCI DSS-validated third parties. The merchant never sees, processes, or stores card data in any form. This is the simplest SAQ, with the fewest questions.
Typical use E-commerce businesses using a hosted payment page or iframe where card data never touches the merchant's servers.
SAQ A-EP
For e-commerce merchants that partially outsource payment processing but have website elements that could affect the security of the payment transaction. The merchant's web server does not receive card data directly, but it does serve the page that contains the payment form.
SAQ B
For merchants using only imprint machines or standalone dial-out payment terminals with no electronic card data storage.
SAQ B-IP
For merchants using standalone, PTS-approved payment terminals connected to the payment processor via IP (internet), with no electronic card data storage.
SAQ C
For merchants with payment application systems connected to the internet but no electronic card data storage. The payment application is on an isolated device or network segment.
SAQ C-VT
For merchants who manually enter card data one transaction at a time via a virtual terminal provided by a PCI DSS-validated third party. No electronic card data storage.
Typical use Small businesses or call centres where agents type card details into a web-based payment page.
SAQ D
The most thorough SAQ, covering all PCI DSS requirements. This applies to merchants and service providers that do not fit into any of the other SAQ categories. It is essentially the full PCI DSS standard in questionnaire form.
Typical use Merchants that store card data electronically, or those with complex payment environments that span multiple channels and systems.
SAQ P2PE
For merchants using a validated Point-to-Point Encryption (P2PE) solution and no electronic card data storage. The P2PE solution encrypts card data at the point of interaction, meaning the merchant's environment never has access to cleartext card data.
How to Determine Your SAQ Type
Choosing the correct SAQ type is critical. Completing the wrong one -- either too simple or too complex -- can lead to compliance issues. The key questions to ask are:
- How does your business accept card payments? (Online, in-person, over the phone, or a combination?)
- Does card data ever pass through your systems, even briefly?
- Do you store any card data electronically after a transaction?
- What technology do you use to process payments? (Virtual terminal, payment terminal, website integration?)
- Have you outsourced any part of the payment process to a third party?
Your acquiring bank can help you determine the correct SAQ type. Many QSAs also offer pre-assessment consultations to ensure you complete the right questionnaire.
Completing the SAQ
Each question in the SAQ maps to a specific PCI DSS requirement. For each question, you must indicate one of the following:
- Yes The requirement is fully met
- Yes with CCW (Compensating Control Worksheet) The requirement is met through an alternative compensating control
- No The requirement is not met (you are not compliant)
- N/A The requirement does not apply to your environment
Any "No" answer means you have a compliance gap that must be remediated. You cannot submit an SAQ with outstanding "No" responses and claim compliance. Once all requirements are met, you sign an Attestation of Compliance (AOC) and submit both documents to your acquiring bank.
SAQ and Telephone Payments
The SAQ type applicable to telephone payment environments depends on how card data is handled:
- If agents type card details into a virtual terminal and no card data is stored, SAQ C-VT may apply
- If agents handle card data in any other way, or if call recordings capture card details, SAQ D is likely required
- If a DTMF masking solution prevents card data from entering the agent environment entirely, the telephone payment channel qualifies for SAQ A
The difference between SAQ C-VT (around 80 questions) and SAQ D (over 300 questions) is substantial. Descoping the telephone environment can save weeks of assessment work and significantly reduce the security controls your organisation needs to maintain.
Paytia is a PCI DSS Level 1 Service Provider, independently audited against the full standard every year. On every channel we support — payment links, web checkout, and phone — the card is captured by our certified platform, not yours. That's what puts you on SAQ A.
SAQ A has 22 controls. The default for a merchant taking phone payments without this kind of solution — SAQ C-VT or SAQ D — runs to 80 or 329 controls respectively, plus the network segmentation, call recording rules, and agent workstation policies to evidence behind them. With Paytia, that entire category of scope drops away because the card data never reaches your systems in the first place.
There's also a multi-channel benefit that catches people out. A business taking phone payments, running a web checkout, and sending payment links would normally need separate SAQs for each channel — or fold everything into SAQ D. Because Paytia handles card capture across all three channels, you fill in one SAQ A and you're done. Add a channel and your PCI position stays where it is.
Frequently Asked Questions
Which SAQ do I need to complete?+
The SAQ type depends on how your business handles card payments. If you use a hosted payment page and never touch card data, SAQ A applies. If agents type card details into a virtual terminal, SAQ C-VT may apply. If you have a complex environment or store card data, SAQ D is likely required. Your acquiring bank or a QSA can help you determine the correct type.
How many questions are in the PCI DSS SAQ?+
It varies by type. SAQ A has 22 controls, SAQ C-VT has around 80, and SAQ D has 329. The more card data your environment handles, the more questions you need to answer. Removing card data from your systems entirely -- by routing phone payments, web checkout, and payment links through a PCI DSS Level 1 service provider -- is what gets you to SAQ A.
Can I complete the SAQ myself or do I need a QSA?+
Level 2, 3, and 4 merchants can typically self-assess by completing the SAQ without QSA involvement. However, some acquiring banks may require Level 2 merchants to engage a QSA. Even when self-assessment is permitted, many organisations find it helpful to consult a QSA to ensure they are completing the right SAQ type and interpreting requirements correctly.
See how Paytia handles saq (self-assessment questionnaire)
Book a personalised demo and we'll show you how our platform works with your setup.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia