PCI DSS Self-Assessment Questionnaires (SAQs)

What Is a Self-Assessment Questionnaire?

For the vast majority of businesses, PCI DSS compliance validation means completing a Self-Assessment Questionnaire — an SAQ. It's a structured form published by the PCI Security Standards Council that asks you to confirm whether your business meets specific PCI DSS requirements based on how you handle card data.

Think of it as a compliance checklist tailored to your particular payment setup. Rather than having an external auditor test every aspect of your security (which is what Level 1 merchants must do, as we covered in Guide 3), an SAQ allows you to self-certify that you're meeting the requirements. You complete it annually, sign an Attestation of Compliance (AoC), and submit both to your acquiring bank.

But here's what catches many businesses off guard: there isn't just one SAQ. There are several types, each designed for a specific way of accepting card payments. Choosing the right one is critical — using the wrong SAQ means you're either answering questions that don't apply to you or, worse, missing requirements that do.

The SAQ Types Explained

The PCI SSC publishes several SAQ types. Each one corresponds to a particular payment acceptance method and scope. Here's what you need to know about each:

SAQ A — Card-Not-Present, Fully Outsourced

Questions: 22

SAQ A is the simplest questionnaire and the one every business should aim for if possible. It applies when you've fully outsourced all card data handling to PCI-compliant third parties. Your systems never store, process, or transmit cardholder data.

Typical scenarios for SAQ A:

• E-commerce businesses using a hosted payment page (like Stripe Checkout or PayPal) where the customer enters card details on the provider's site, not yours
• Businesses taking telephone payments through a DTMF masking solution like Paytia, where card data goes directly to the payment processor without passing through your systems
• Mail order businesses where card details are entered directly into a third-party terminal by the merchant, with no electronic storage

With just 22 questions, SAQ A is manageable for even the smallest business without dedicated IT or compliance staff.

SAQ A-EP — E-Commerce with Partial Outsourcing

Questions: 191

SAQ A-EP applies to e-commerce merchants who partially outsource card processing but whose website still plays a role in the payment transaction — for example, by hosting payment page elements or using JavaScript that could affect the security of the payment process, even though card data is ultimately processed by a third party.

A common example is using a payment provider's embedded form (an iframe) within your own checkout page. Your server doesn't touch the card data directly, but your website's code and hosting environment could potentially be compromised to intercept it. At 191 questions, SAQ A-EP is significantly more demanding than SAQ A, covering web application security, vulnerability scanning, and more.

SAQ B — Imprint Machines or Standalone Dial-Out Terminals

Questions: 41

SAQ B is for merchants using standalone, dial-out payment terminals (the physical card machines that connect over a phone line) or old-fashioned manual imprint machines. These terminals must not be connected to your network or the internet. It's an increasingly rare scenario as most modern terminals use IP connectivity.

SAQ B-IP — Standalone IP-Connected Terminals

Questions: 82

SAQ B-IP covers merchants using standalone payment terminals that connect to the payment processor over an IP network (internet or private network) rather than a phone line. The terminals are PTS-approved (a hardware security standard) and are not connected to any other systems in your environment.

This is common in retail settings where the card machine connects via Ethernet or Wi-Fi to process transactions, but isn't integrated with a point-of-sale system or back-office network.

SAQ C — Payment Application Systems Connected to the Internet

Questions: 160

SAQ C is for merchants whose payment application system (such as a point-of-sale system) is connected to the internet but doesn't store cardholder data electronically. The payment application must be on a segmented network — isolated from the rest of your business systems.

SAQ C-VT — Virtual Terminal, One Transaction at a Time

Questions: 79

SAQ C-VT applies to merchants who manually enter card details into a web-based virtual terminal provided by their payment processor. The key requirements are that you're entering one transaction at a time (not batch processing), the virtual terminal is provided by your PCI-compliant processor, and your computer isn't storing card data.

This is common in small businesses and contact centres where agents type card numbers into a browser-based payment page. Note, however, that this means agents see and handle card data, which brings their workstations, the network, and the agents themselves into PCI scope. For businesses looking to avoid this, DTMF masking solutions can remove the agent from the card data flow entirely, potentially qualifying you for SAQ A instead.

SAQ D — Everyone Else

Questions: 326 (for merchants) / 347 (for service providers)

SAQ D is the full questionnaire. It covers every single PCI DSS requirement in detail. You need SAQ D if your payment setup doesn't fit neatly into any of the other SAQ categories — which usually means you store, process, or transmit cardholder data within your own systems in ways that aren't covered by the more specific SAQs.

Examples include businesses that store card numbers in their own database, process card transactions through their own servers, or have complex payment environments spanning multiple channels and systems.

SAQ D is a substantial undertaking. With 326 questions covering all 12 PCI DSS requirements, it demands significant time, technical expertise, and documentation. The compliance cost difference between SAQ A and SAQ D is enormous — not just in the time to complete the questionnaire, but in the security controls, monitoring, and documentation you need to have in place.

SAQ P2PE — Point-to-Point Encryption

Questions: 33

SAQ P2PE applies to merchants using a validated Point-to-Point Encryption (P2PE) solution for their in-person card payments. P2PE encrypts card data from the moment of interaction at the terminal, meaning your systems never have access to unencrypted card data. This significantly reduces scope, bringing the questionnaire down to just 33 questions.

How to Determine Which SAQ You Need

Choosing the right SAQ requires honest assessment of how card data flows through your business. Ask yourself these questions:

• Do your systems ever store card data? If yes, you're likely looking at SAQ D.
• Do your systems process or transmit card data? If you've fully outsourced this, SAQ A may apply. If your systems are involved in the transaction flow, consider SAQ A-EP, C, or C-VT.
• Do your staff see or hear card numbers? If agents type card data into a virtual terminal, that's SAQ C-VT. If you use DTMF masking so agents never encounter card data, you could qualify for SAQ A.
• What kind of payment terminals do you use? Standalone dial-out terminals point to SAQ B. IP-connected standalone terminals suggest SAQ B-IP. Terminals using validated P2PE suggest SAQ P2PE.

When in doubt, consult your acquiring bank or a Qualified Security Assessor. Getting the SAQ wrong can mean either unnecessary work (using a more stringent SAQ than required) or a compliance gap (using a less stringent SAQ than your setup actually demands).

Completing Your SAQ

Once you know which SAQ applies, the process is relatively straightforward:

• Read the SAQ instructions — each SAQ has an introductory section explaining its scope, eligibility criteria, and how to answer the questions
• Answer each question honestly — for each control, you'll indicate whether it's in place, not in place, not applicable, or whether you've implemented a compensating control
• Document your evidence — while the SAQ is self-assessed, you should maintain documentation that supports your answers. If questioned by your acquiring bank or in the event of a breach, you'll need to show your work
• Complete the Attestation of Compliance (AoC) — this is a signed declaration confirming your compliance status
• Submit to your acquiring bank — deadlines and submission methods vary by bank

Remember that an SAQ is an annual requirement. But compliance itself is continuous — you need to maintain the controls you've attested to throughout the year, not just at assessment time. PCI DSS v4.0.1 places particular emphasis on this ongoing compliance expectation.

Reducing Your SAQ Burden

The single most impactful thing you can do for PCI compliance is to simplify your SAQ by reducing your scope. Every system, process, and person that touches card data adds questions to your assessment and controls to your environment.

Practical steps to move towards a simpler SAQ:

• Use hosted payment pages for online transactions instead of processing card data on your own servers
• Implement DTMF masking for telephone payments so agents never encounter card data — this can shift you from SAQ C-VT or SAQ D to SAQ A
• Use P2PE terminals for in-person payments to qualify for the lightweight SAQ P2PE
• Stop storing card data if there's no genuine business need — use tokenisation instead

We cover scope reduction strategies in detail in Guide 5: Descoping Your PCI Environment.

Key Takeaways

• An SAQ is how most businesses validate PCI DSS compliance — it's an annual self-assessment tailored to your specific payment setup
• There are multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, and P2PE), each for different payment scenarios — choosing the right one is essential
• SAQ A is the simplest at 22 questions, available to businesses that fully outsource card data handling. SAQ D is the most demanding at 326 questions, covering all 12 PCI DSS requirements
• The SAQ you qualify for depends on how card data flows through your business — not just whether you store it, but whether your systems or staff encounter it at any point
• Reducing scope is the key to a simpler SAQ — technologies like hosted payment pages, DTMF masking, and P2PE can dramatically reduce your compliance burden
• Compliance is continuous — maintain the controls you've attested to throughout the year, not just at assessment time