How
It Works

SAQ D (Self-Assessment Questionnaire D) is the most comprehensive PCI DSS self-assessment. It applies when cardholder data is in your environment — for example when staff hear or see card numbers, use virtual terminals to key in card data, or when card data passes through or is stored on your systems. The PCI Security Standards Council publishes SAQ D with over 300 requirements for merchants (PCI DSS v4.0.1). Meeting them means significant security measures, documentation, and ongoing validation. See our PCI DSS compliance page for how Paytia reduces scope.

SAQ A is the shortest PCI DSS self-assessment. It applies when your organisation does not store, process, or transmit cardholder data and has outsourced all cardholder data functions to a compliant third party. If card data never enters your phone system and your agents cannot hear or see full PANs — for example because of DTMF masking — you may qualify for SAQ A — just 22 controls (vs over 300 for SAQ D).

DTMF masking means that when a customer enters their card number using their phone keypad, the tones are masked or suppressed so that they cannot be used to recover the card number on your systems or call recordings. The payment is still sent securely to your payment processor for authorisation. Because your environment never receives the card data, it stays out of PCI scope. Learn more in our DTMF suppression and keypad payments solution pages.

When staff hear, see, retype, or write down card data — or when you use a virtual terminal that requires card data to be entered into your systems — your business is in scope for PCI DSS. That typically means SAQ D: training, access controls, logging, secure disposal, network security, and annual assessments. The cost includes security infrastructure, audit fees, training programmes, and the risk of fraud or breach. Paytia removes card data from your environment so you can avoid that burden. See agent-assisted payments and PCI DSS compliance for how we help.

When card data never enters your environment, your staff cannot accidentally expose it, and there is nothing to steal from your systems. That reduces fraud risk and the need for PCI-specific staff training and monitoring. You also avoid the ongoing cost of maintaining the security controls required when card data is present. See our agent-assisted payments and support centre for how we support implementation.

The PCI Security Standards Council (pcisecuritystandards.org) publishes the PCI DSS standard and SAQ documents. SAQ eligibility and requirement counts are set by the Council; PCI DSS v4.0.1 and the related SAQ bulletins are the current reference for merchants. On our site, see PCI DSS compliance and PCI DSS (legal) for how Paytia helps reduce scope.