What Is an SAQ and Why Does It Matter?
A Self-Assessment Questionnaire (SAQ) is a set of yes/no questions that merchants and service providers use to validate their PCI DSS compliance annually. Most Level 2, 3, and 4 merchants are eligible to use an SAQ rather than a full QSA-conducted audit.
There are nine SAQ types. Each applies to a different payment environment — the type of terminals, whether you store cardholder data, how your e-commerce payments work, and other factors. Using the wrong SAQ type doesn't just create confusion — it can mean certifying compliance you don't actually have, which creates liability.
SAQ Types at a Glance
| SAQ Type | Who It Applies To | Key Requirement |
|---|---|---|
| SAQ A | Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS compliant service providers | No cardholder data on your systems; iFrame or redirect checkout |
| SAQ A-EP | E-commerce merchants who partially outsource payment processing but whose website affects the security of the payment transaction | Direct-post or similar integration where your page is involved in the transaction flow |
| SAQ B | Merchants with imprint machines or standalone dial-out terminals; no electronic cardholder data storage | No electronic storage; physical card present |
| SAQ B-IP | Merchants using only IP-connected hardware payment terminals with no electronic storage | PTS-approved terminals; no cardholder data storage |
| SAQ C | Merchants with payment application systems connected to the internet; no electronic cardholder data storage | Payment app on internet-connected system; segmented from other systems |
| SAQ C-VT | Merchants using virtual payment terminals accessed via web browser from an isolated computer | Single, isolated computer for payment processing only |
| SAQ D (Merchant) | All merchants not eligible for the above SAQs | All 12 PCI DSS requirements apply |
| SAQ D (Service Provider) | Service providers eligible to complete an SAQ | Full PCI DSS requirements applicable to service providers |
| SAQ P2PE | Merchants using only hardware payment terminals within a PCI SSC-listed P2PE solution | Listed P2PE solution used; no electronic cardholder data storage |
The most common mistake: E-commerce businesses frequently use SAQ A when they actually qualify for SAQ A-EP — or vice versa. The distinction depends on how your payment page works technically. Getting this wrong can mean you're certifying compliance against the wrong set of requirements.
What Our SAQ Guidance Includes
SAQ Type Determination
We review your payment environment — your checkout flow, terminal setup, data storage practices, and third-party relationships — and identify which SAQ type applies to your specific situation.
Line-by-Line Completion Support
We walk through each question with you in plain English, explaining what the question is actually asking and how to answer it accurately based on your environment.
Gap Identification During Completion
If working through the SAQ reveals areas where your answer should be "No" but needs to be "Yes" for compliance, we flag those as items to address before submission.
Response Review Before Submission
Before you submit to your acquirer, we review your completed SAQ to check for consistency, accuracy, and any flags that might draw scrutiny.