What is a SAQ (Self-Assessment Questionnaire)?

Understanding the PCI DSS Self-Assessment Questionnaire

The Self-Assessment Questionnaire is a validation tool created by the PCI Security Standards Council. It allows merchants and service providers to report the results of their own PCI DSS assessment. Rather than hiring an external assessor for every business that handles card payments, the SAQ provides a structured way for organisations to evaluate and document their security controls.

Every business that accepts, processes, stores, or transmits cardholder data must validate its PCI DSS compliance. For most small and mid-sized businesses, the SAQ is the primary method of doing so. Larger organisations processing millions of transactions annually typically require a formal audit by a Qualified Security Assessor (QSA) instead.

The Different SAQ Types

There are several SAQ types, each designed for a specific card acceptance method. The most common include:

• SAQ A — For merchants that have fully outsourced all cardholder data functions to PCI DSS-validated third parties. This is the shortest and simplest questionnaire, with around 22 requirements.
• SAQ A-EP — For e-commerce merchants that partially outsource payment processing but whose website could affect the security of the transaction.
• SAQ B — For merchants using imprint machines or standalone dial-out terminals with no electronic cardholder data storage.
• SAQ B-IP — For merchants using standalone, PCI-listed payment terminals connected via IP, with no electronic cardholder data storage.
• SAQ C — For merchants with payment application systems connected to the internet but no electronic cardholder data storage.
• SAQ C-VT — For merchants manually entering a single transaction at a time via a virtual terminal on a computer connected to the internet.
• SAQ D — The most comprehensive questionnaire, covering all PCI DSS requirements. This applies to merchants and service providers that do not fall into any other SAQ category.

Why Your SAQ Type Matters

The difference between SAQ types is significant. SAQ A contains roughly 22 requirements, whilst SAQ D contains over 300. Reducing your SAQ scope saves time, money, and administrative burden. More importantly, it typically means your systems handle less sensitive data, reducing your risk of a breach.

How to determine your SAQ type

Your SAQ type depends on your payment acceptance channels and how cardholder data flows through your systems. If card data never touches your environment — because it is captured by a third-party service — you may qualify for a simpler SAQ. If your staff handle card numbers directly, or if your systems store or process card data, you will likely need a more comprehensive questionnaire.

Completing Your SAQ

Each SAQ contains a series of yes-or-no questions about your security controls. For each requirement, you must indicate whether the control is in place, not in place, or not applicable. You must also provide an explanation for any controls marked as not applicable. Once completed, the SAQ is submitted alongside an Attestation of Compliance (AOC) to your acquiring bank or payment brand.

Many businesses find the SAQ process challenging because it requires detailed knowledge of how card data moves through their systems. Working with a payment solution that reduces your scope can dramatically simplify the process.