A Self-Assessment Questionnaire (SAQ) is a validation tool used to assess your compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements.
All merchants who accept card payments must complete an SAQ annually to demonstrate they're handling cardholder data securely, as mandated by the PCI Security Standards Council (PCI SSC):
PCI DSS v4.0 SAQ D – Section 11.3.2.1
(Required attestation item in every SAQ that applies to Internet-connected environments)
"Each SAQ type that applies to merchants with Internet connectivity includes a control verifying compliance with Requirement 11.3.2.1."
— PCI Security Standards Council (PCI SSC)
There are several SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE), each tailored to different payment processing scenarios. The type you need depends on:
- How you accept card payments (e-commerce, terminal, manual entry, etc.)
- Whether cardholder data flows through your systems
- Your payment processing volume
SAQ A is for merchants who have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers. These merchants do not store, process, or transmit any cardholder data on their systems or premises. This SAQ is applicable to e-commerce or mail/telephone-order merchants (card-not-present) and is not applicable to face-to-face channels.
SAQ A-EP is for e-commerce merchants who outsource all payment processing to PCI DSS validated third parties but have a website that can impact the security of the payment transaction. These merchants do not store, process, or transmit any cardholder data on their systems or premises.
SAQ B is for merchants using only imprint machines or standalone, dial-out terminals with no electronic cardholder data storage. This SAQ is not applicable to e-commerce channels.
SAQ B-IP is for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. This SAQ is not applicable to e-commerce channels.
SAQ C-VT is for merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution provided and hosted by a PCI DSS validated third-party service provider. These merchants do not store electronic cardholder data.
SAQ C is for merchants with payment application systems connected to the Internet, but who do not store electronic cardholder data. This SAQ is not applicable to e-commerce channels.
SAQ P2PE is for merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. This SAQ is not applicable to e-commerce channels.
SAQ D for Merchants is for all merchants not covered by the descriptions for the above SAQ types. This includes merchants that store, process, or transmit cardholder data electronically.
SAQ D for Service Providers is for all service providers defined by a payment brand as eligible to complete a self-assessment questionnaire. This SAQ is the only option for service providers and covers the electronic storage, processing, or transmission of cardholder data.
PCI Portal
Our PCI Portal simplifies the process of performing and actioning the results of SAQs, making it easier to ensure PCI DSS compliance is maintained.
