PCI DSS Self-Assessment Questionnaire (SAQ) Guide: Which One Do You Need?
Quick Answer
The PCI DSS SAQ is a self-validation tool for Level 2-4 merchants. There are 9 SAQ types (A, A-EP, B, B-IP, C, C-VT, D-Merchant, D-SP, P2PE) based on how you accept card payments. SAQ A is simplest (22 questions) while SAQ D is most comprehensive (329 questions).
What Is a PCI DSS SAQ?
A Self-Assessment Questionnaire (SAQ) is a validation tool used by Level 2, 3, and 4 merchants to self-report their PCI DSS compliance status. Instead of hiring a QSA for an on-site audit, eligible merchants answer a series of yes/no questions about their security controls and submit the results to their acquiring bank.
Key Takeaways
- There are 9 SAQ types in PCI DSS 4.0 — choosing the right one is critical
- SAQ A has only 22 questions (fully outsourced e-commerce); SAQ D has 329 questions
- The SAQ type depends on HOW you accept cards, not your transaction volume
- Reducing your SAQ type (e.g., from D to A) is one of the best ways to cut compliance costs
- SAQs must be completed annually and submitted with an Attestation of Compliance (AOC)
SAQ Types Comparison
| SAQ Type | Description | Questions | Common Use Case |
|---|---|---|---|
| SAQ A | Card-not-present, fully outsourced | 22 | E-commerce using hosted payment page (Stripe Checkout, PayPal) |
| SAQ A-EP | E-commerce with website affecting transaction security | 191 | E-commerce using JavaScript-based integrations (Stripe Elements) |
| SAQ B | Imprint machines or standalone dial-out terminals only | 41 | Small retail with basic card terminals (no IP connection) |
| SAQ B-IP | Standalone PTS POI terminals connected via IP | 82 | Retail with IP-connected payment terminals |
| SAQ C-VT | Web-based virtual terminal (one transaction at a time) | 79 | Phone orders entered via payment processor's virtual terminal |
| SAQ C | Payment application systems connected to the internet | 160 | Retail with POS systems connected to the internet |
| SAQ P2PE | Hardware payment terminals with validated P2PE solution | 33 | Merchants using PCI-validated point-to-point encryption |
| SAQ D (Merchant) | All other merchants not covered by above SAQs | 329 | Complex environments, merchants storing card data |
| SAQ D (SP) | Service providers | 329 | Hosting companies, payment facilitators, managed service providers |
How to Choose Your SAQ Type
SAQ Selection Decision Tree
Follow this simplified decision tree to determine your SAQ type based on how you accept card payments
Do you accept cards online?
If no, proceed to in-person options
Is payment page fully hosted by processor?
Yes = SAQ A; No = check if your site affects security
Does your website impact transaction security?
Yes = SAQ A-EP; No = likely SAQ A
Do you use standalone payment terminals?
Dial-out = SAQ B; IP-connected = SAQ B-IP
Do you use validated P2PE?
Yes = SAQ P2PE (33 questions)
None of the above?
SAQ D (329 questions) — the catch-all
SAQ A: The Simplest Option
SAQ A is the gold standard for e-commerce merchants who fully outsource payment processing. To qualify, your website must redirect customers to the payment processor's hosted page (like Stripe Checkout or PayPal) or use an iframe that the processor controls. No card data ever touches your servers.
✅ SAQ A vs A-EP for e-commerce
If you use Stripe Checkout (redirect) or a processor-hosted iframe, you likely qualify for SAQ A (22 questions). If you use Stripe Elements or similar JavaScript that loads on YOUR page, you need SAQ A-EP (191 questions). The difference is whether your website can affect the security of the payment transaction.
SAQ D: The Catch-All
SAQ D applies to any merchant or service provider that does not qualify for a more specific SAQ type. At 329 questions, it covers the full scope of PCI DSS requirements. If you store cardholder data, process payments through your own systems, or have a complex multi-channel environment, you will likely need SAQ D.
Tips for Completing Your SAQ
SAQ Completion Best Practices
- Accurately determine your SAQ type before starting — completing the wrong SAQ wastes time and may not satisfy your acquirer
- Document your cardholder data environment (CDE) scope before answering questions
- Create a data flow diagram showing how card data moves through your systems
- Answer every question honestly — your acquiring bank may audit your responses
- For 'Not Applicable' answers, document why the requirement does not apply
- Use compensating controls worksheets when you cannot meet a requirement exactly as stated
- Keep evidence (screenshots, configurations, policies) to support your answers
- Complete quarterly ASV scans before submitting your SAQ
- Sign and submit the Attestation of Compliance (AOC) along with the SAQ
- Set a calendar reminder for annual renewal — SAQs expire after 12 months
Reducing Your SAQ Scope
Moving from a higher SAQ (like D) to a simpler one (like A or P2PE) is one of the most impactful things you can do for PCI DSS compliance efficiency. Strategies include:
- Switch to hosted payment pages to qualify for SAQ A (saves you from 300+ questions)
- Implement PCI-validated P2PE for in-person payments to qualify for SAQ P2PE
- Use tokenization to eliminate card data storage from your environment
- Move from custom payment integrations to processor-managed solutions
- Segment your network to isolate payment systems from the rest of your infrastructure
Can I switch SAQ types mid-year?
Yes, if you change how you accept payments (e.g., move from a custom integration to a hosted payment page), you can switch to a different SAQ type at your next annual validation. Document the change and notify your acquiring bank.
What happens if I complete the wrong SAQ?
Your acquiring bank may reject the submission and require you to complete the correct SAQ type. In some cases, this could trigger additional scrutiny or even a requirement for a QSA assessment.
Do I still need ASV scans if I use SAQ A?
Yes. All SAQ types except SAQ B require quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Even SAQ A merchants with minimal scope must maintain passing ASV scans.
Can my acquiring bank require a higher SAQ than my business warrants?
Yes. Acquiring banks have the authority to require more stringent validation than the minimum. For example, they may require SAQ D or even a QSA assessment for Level 2 merchants if they perceive elevated risk.
Find PCI DSS Compliance Tools
Compare SAQ management platforms, ASV scanning services, and compliance automation tools.
Browse PCI DSS Tools