What is a SAQ (Self-Assessment Questionnaire)?

A Self-Assessment Questionnaire (SAQ) is the document a merchant or service provider completes annually to attest to their own PCI DSS compliance. It's the self-validation route open to every merchant level except Level 1, which has to be assessed by a Qualified Security Assessor instead. The PCI Security Standards Council publishes nine SAQ versions and the right one for you depends entirely on how cardholder data flows through your business — from a 22-question SAQ A for fully outsourced e-commerce up to a 329-question SAQ D for everything that doesn't fit anywhere else. Each SAQ ships with a matching Attestation of Compliance (AoC), and both go to your acquiring bank.

The SAQ — sometimes called a PCI self-assessment or self-assessment questionnaire — isn't a single document. The nine versions cover everything from imprint machines to P2PE-validated terminals, and the gap between them is huge in practice: SAQ A is a short afternoon's work, SAQ D is weeks. Get it wrong and you'll either do far more than you need to, or you'll claim a compliance posture you can't actually demonstrate when an acquirer asks. Most of our clients land on SAQ A or SAQ C-VT once DTMF masking takes their phone channel out of scope.

What Is a Self-Assessment Questionnaire?

A Self-Assessment Questionnaire (SAQ) is a validation tool used by merchants and service providers to assess and report their compliance with PCI DSS. It is essentially a structured checklist of yes/no questions that correspond to the PCI DSS requirements applicable to your specific payment environment.

The SAQ is designed for organisations that are not required to undergo a full on-site assessment by a Qualified Security Assessor (QSA). This typically means Level 2, 3, and 4 merchants -- which covers the vast majority of businesses that accept card payments.

SAQ Types

There is not just one SAQ. The PCI Security Standards Council publishes several versions, each tailored to a specific type of payment environment. The SAQ type you need to complete depends on how your business handles card data.

SAQ A

For merchants that have fully outsourced all card data processing to PCI DSS-validated third parties. The merchant never sees, processes, or stores card data in any form. This is the simplest SAQ, with the fewest questions.

Typical use E-commerce businesses using a hosted payment page or iframe where card data never touches the merchant's servers.

SAQ A-EP

For e-commerce merchants that partially outsource payment processing but have website elements that could affect the security of the payment transaction. The merchant's web server does not receive card data directly, but it does serve the page that contains the payment form.

SAQ B

For merchants using only imprint machines or standalone dial-out payment terminals with no electronic card data storage.

SAQ B-IP

For merchants using standalone, PTS-approved payment terminals connected to the payment processor via IP (internet), with no electronic card data storage.

SAQ C

For merchants with payment application systems connected to the internet but no electronic card data storage. The payment application is on an isolated device or network segment.

SAQ C-VT

For merchants who manually enter card data one transaction at a time via a virtual terminal provided by a PCI DSS-validated third party. No electronic card data storage.

Typical use Small businesses or call centres where agents type card details into a web-based payment page.

SAQ D

The most thorough SAQ, covering all PCI DSS requirements. This applies to merchants and service providers that do not fit into any of the other SAQ categories. It is essentially the full PCI DSS standard in questionnaire form.

Typical use Merchants that store card data electronically, or those with complex payment environments that span multiple channels and systems.

SAQ P2PE

For merchants using a validated Point-to-Point Encryption (P2PE) solution and no electronic card data storage. The P2PE solution encrypts card data at the point of interaction, meaning the merchant's environment never has access to cleartext card data.

How to Determine Your SAQ Type

Choosing the correct SAQ type is critical. Completing the wrong one -- either too simple or too complex -- can lead to compliance issues. The key questions to ask are:

• How does your business accept card payments? (Online, in-person, over the phone, or a combination?)
• Does card data ever pass through your systems, even briefly?
• Do you store any card data electronically after a transaction?
• What technology do you use to process payments? (Virtual terminal, payment terminal, website integration?)
• Have you outsourced any part of the payment process to a third party?

Your acquiring bank can help you determine the correct SAQ type. Many QSAs also offer pre-assessment consultations to ensure you complete the right questionnaire.

Completing the SAQ

Each question in the SAQ maps to a specific PCI DSS requirement. For each question, you must indicate one of the following:

• Yes The requirement is fully met
• Yes with CCW (Compensating Control Worksheet) The requirement is met through an alternative compensating control
• No The requirement is not met (you are not compliant)
• N/A The requirement does not apply to your environment

Any "No" answer means you have a compliance gap that must be remediated. You cannot submit an SAQ with outstanding "No" responses and claim compliance. Once all requirements are met, you sign an Attestation of Compliance (AOC) and submit both documents to your acquiring bank.

SAQ and Telephone Payments

The SAQ type applicable to telephone payment environments depends on how card data is handled:

• If agents type card details into a virtual terminal and no card data is stored, SAQ C-VT may apply
• If agents handle card data in any other way, or if call recordings capture card details, SAQ D is likely required
• If a DTMF masking solution prevents card data from entering the agent environment entirely, the telephone payment channel may qualify for SAQ A or a significantly simpler assessment

The difference between SAQ C-VT (around 80 questions) and SAQ D (over 300 questions) is substantial. Descoping the telephone environment can save weeks of assessment work and significantly reduce the security controls your organisation needs to maintain.