If your business accepts credit or debit card payments, PCI compliance is not optional. But for many small and mid-sized merchants, the path to compliance doesn’t involve a full-scale audit—it starts with a document called the Self-Assessment Questionnaire, or SAQ.
In this article, we’ll explore what the SAQ is, who needs to complete it, which version applies to your business, and how it fits into your broader PCI DSS responsibilities.
🔐 What Is the SAQ?
The Self-Assessment Questionnaire (SAQ) is a validation tool used by merchants and service providers to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS). It’s a series of yes/no questions based on the 12 core PCI DSS requirements.
Think of it as a self-audit for your payment environment.
💡 Unlike large merchants (Level 1), who must undergo an annual on-site assessment by a Qualified Security Assessor (QSA), most Level 2–4 merchants can validate compliance by completing an SAQ.
👥 Who Needs to Complete an SAQ?
You need to complete an SAQ if you store, process, or transmit payment card data and you’re not required to submit a full Report on Compliance (ROC). This includes:
- Brick-and-mortar merchants using point-of-sale (POS) systems
- E-commerce businesses
- Merchants using virtual terminals
- Mobile payment processors
Your PCI Level (based on annual transaction volume) and your card acceptance method (e.g., in-person, online, or both) determine:
- Whether you can use an SAQ
- Which SAQ type applies
🧩 The Different Types of SAQs
There isn’t just one SAQ—there are multiple versions, each tailored to a specific business setup. Choosing the correct one is crucial for both compliance and risk reduction.
| SAQ Type | Best For | Data Handling | Notes |
|---|---|---|---|
| SAQ A | Fully outsourced e-commerce or mail/telephone order (MOTO) merchants | No cardholder data touches your systems | All processing done by PCI-compliant third party |
| SAQ A-EP | E-commerce merchants with some involvement in webpage delivery | No cardholder data storage | Hosting environment must be secured |
| SAQ B | In-person merchants using only imprint machines or stand-alone dial-out terminals | No storage, simple devices | No internet connectivity |
| SAQ B-IP | Merchants using IP-connected standalone payment terminals | No cardholder data storage | Devices must be PCI-listed and isolated from other systems |
| SAQ C | Merchants with payment applications on a dedicated device | No cardholder data storage | Connected to the internet, but on a secure, segmented network |
| SAQ C-VT | Merchants who manually enter card data into a virtual terminal on a secured device | No cardholder data storage | No electronic cardholder data recorded |
| SAQ D – Merchant | All other merchant types | May store or process cardholder data | Full set of PCI DSS controls must be addressed |
| SAQ D – Service Provider | Service providers handling card data for others | Full data environment | Most complex; equivalent to Level 1 requirements |
🛠 Example: A small online store that redirects customers to a hosted checkout page (like Stripe or PayPal) would likely use SAQ A.
📋 What Does an SAQ Include?
Each SAQ consists of:
- A series of yes/no questions based on the PCI DSS version 4.0 requirements
- An Attestation of Compliance (AOC), which must be signed by an authorized officer
- Supporting documentation if applicable (e.g., network diagrams, scan results)
Some SAQs (like A and C-VT) are relatively short. Others (like SAQ D) can have 300+ requirements and require in-depth IT documentation.
🔄 How Often Should You Complete an SAQ?
- Annually: PCI DSS requires SAQs to be completed once every 12 months
- After any major change to your payment environment (e.g., new gateway, network changes)
- Quarterly: If applicable, submit ASV scan reports alongside your SAQ
Many processors will remind you or even require that you complete the SAQ through a PCI portal to remain in good standing.
💰 Are There Fees Involved?
The SAQ itself is free—you can download it from the PCI Security Standards Council’s website.
However, your payment processor may charge PCI compliance fees if they:
- Provide access to a secure portal for SAQ completion
- Bundle quarterly vulnerability scans
- Include data breach protection or compliance support
If you’re being charged, make sure you understand what services are included and whether you’re required to use them.
⚠️ Common Mistakes to Avoid
- Using the wrong SAQ type
→ Match your environment to the SAQ version carefully. - Saying “yes” when “no” is the honest answer
→ You must fix the issue or create a remediation plan. - Failing to complete quarterly scans (if required)
→ Especially important for internet-facing systems. - Signing without understanding
→ The Attestation of Compliance is a legal document.
✅ How to Get Started
- Determine your PCI level and environment
- Download the appropriate SAQ from the PCI SSC SAQ Library
- Answer all questions honestly and completely
- Address any gaps before signing
- Submit your SAQ and AOC to your processor or acquiring bank
🔚 Final Thoughts: SAQ = Simpler Compliance
The Self-Assessment Questionnaire is a powerful tool for helping small and medium-sized merchants meet PCI DSS obligations without the need for costly audits. By choosing the right SAQ version and completing it carefully each year, you not only meet compliance requirements but also show your customers and partners that you take payment security seriously.
If you’re unsure about which SAQ applies to you or how to get started, reach out to your payment processor or consult with a PCI expert. It’s always better to ask than to risk a data breach or non-compliance penalty.
