Does needing SAQ D mean my organisation has failed PCI DSS?

Absolutely not. SAQ D is not an indication of failure — it is the comprehensive self-assessment questionnaire that covers the full PCI DSS standard. Many legitimate business models require SAQ D, including any service provider that handles cardholder data and merchants who store card data for recurring billing. SAQ D simply means your business operates in a way that requires the full set of PCI DSS controls, which is the same standard applied to the largest payment processors in the world.

What is the difference between SAQ D for merchants and SAQ D for service providers?

SAQ D exists in two variants: SAQ D-Merchant and SAQ D-Service Provider. While both cover the full PCI DSS standard, the service provider version includes additional requirements specific to service providers, such as Requirement 3.5.1.1 (cryptographic architecture documentation), additional penetration testing scope, and service provider-specific policy requirements. Service providers also have stricter timelines for certain requirements under PCI DSS v4.0.1.

How many requirements does SAQ D have?

SAQ D covers approximately 329 requirements — essentially the full PCI DSS standard. This includes all 12 requirement areas with every sub-requirement applicable to your environment type (merchant or service provider). The evidence and documentation burden is substantial, which is why organisations completing SAQ D often benefit from a compliance management platform to track progress, manage evidence, and ensure nothing is missed.

Can I reduce my SAQ D scope through network segmentation?

Yes, network segmentation is one of the most effective strategies for reducing the scope of SAQ D. By properly segmenting your cardholder data environment (CDE) from the rest of your network, you limit the number of systems that must comply with PCI DSS requirements. However, segmentation must be validated through penetration testing (Requirement 11.4.5), and improperly implemented segmentation can actually increase risk. Many organisations engage a QSA to validate their segmentation strategy before beginning their SAQ D assessment.

Should I engage a QSA even if I only need to complete an SAQ?

While SAQs are designed for self-assessment without mandatory QSA involvement, engaging a QSA for SAQ D is strongly recommended given the complexity and breadth of the full standard. A QSA can help with initial scoping to ensure you are assessing the correct environment, validate network segmentation, identify compensating controls for requirements that cannot be met directly, and provide authoritative interpretation of ambiguous requirements. Many acquiring banks also offer reduced liability or streamlined processing for SAQ D submissions that include QSA validation.

← All SAQ Types

SAQ D — Full PCI DSS Standard

PCI DSS SAQ D Compliance Guide

The comprehensive self-assessment covering all PCI DSS requirements — for merchants who store CHD and service providers who handle payment data.

SAQ D is the full PCI DSS standard. GRCTrack helps you navigate all 12 requirement areas with structured workflows and expert guidance.

Start Your SAQ D Assessment Talk to a PCI Expert

What Is SAQ D?

SAQ D is the most comprehensive PCI DSS Self-Assessment Questionnaire, covering the full set of PCI DSS requirements. It is the catch-all SAQ for merchants and service providers whose payment environments do not qualify for any of the simplified SAQ types (A, A-EP, B, B-IP, C, C-VT, or P2PE).

SAQ D exists in two variants. SAQ D for Merchants applies to merchants who store, process, or transmit cardholder data and don't qualify for a reduced SAQ. SAQ D for Service Providers applies to any service provider that stores, processes, or transmits cardholder data on behalf of other entities. The service provider variant includes additional requirements specific to multi-tenant environments and shared infrastructure.

With approximately 329 requirements spanning all 12 PCI DSS requirement areas, SAQ D demands the most evidence, documentation, and technical controls of any SAQ type. However, this is not a penalty — it is the same robust standard that protects the world's largest payment processors. Proper scoping, network segmentation, and a structured compliance approach make SAQ D achievable for organisations of any size.

Who Must Complete SAQ D?

Merchants who electronically store cardholder data (e.g., for recurring billing or transaction records)

Merchants who process or transmit CHD and do not qualify for SAQ A, A-EP, B, B-IP, C, C-VT, or P2PE

Service providers who store, process, or transmit cardholder data on behalf of other entities

Payment processors, gateways, and hosting providers that handle CHD

Merchants with complex payment environments spanning multiple channels (e-commerce, in-store, MOTO)

Organisations designated by their acquiring bank as requiring SAQ D based on risk assessment

All 12 PCI DSS Requirement Areas

SAQ D covers every requirement in the PCI DSS standard, organised across these 12 areas.

Req 1: Network Security Controls

Install and maintain network security controls (firewalls, NSCs) to protect the cardholder data environment from untrusted networks.

Req 2: Secure Configurations

Apply secure configurations to all system components. Change vendor defaults, remove unnecessary services, and harden all in-scope systems.

Req 3: Protect Stored CHD

Protect stored account data through encryption, truncation, masking, and hashing. Minimise data retention and secure cryptographic keys.

Req 4: Encrypt Transmissions

Protect cardholder data with strong cryptography during transmission over open, public networks including the internet.

Req 5: Malware Protection

Protect all systems and networks from malicious software. Deploy and maintain anti-malware solutions on all applicable system components.

Req 6: Secure Development

Develop and maintain secure systems and software. Includes secure SDLC, code reviews, vulnerability management, and web application protection.

Req 7: Restrict Access

Restrict access to system components and cardholder data by business need-to-know. Implement role-based access control.

Req 8: Identify & Authenticate

Identify users and authenticate access. Require unique IDs, strong passwords, MFA for CDE access, and manage service accounts.

Req 9: Physical Security

Restrict physical access to cardholder data and systems. Secure facilities, media, and point-of-interaction devices.

Req 10: Logging & Monitoring

Log and monitor all access to system components and cardholder data. Implement audit trails, time synchronisation, and log reviews.

Req 11: Security Testing

Test security regularly through vulnerability scans, penetration tests, intrusion detection, file integrity monitoring, and change detection.

Req 12: Security Policies

Support information security with organisational policies, risk assessments, security awareness, incident response, and third-party management.

Common SAQ D Mistakes

Assuming SAQ D Means Failure

SAQ D is not a failure state — it is the full PCI DSS standard. Many legitimate and well-run organisations complete SAQ D because their business model involves storing or processing cardholder data. Service providers always complete SAQ D. The key is approaching it with proper planning and tooling.

Underestimating Evidence Volume

SAQ D requires evidence for approximately 329 requirements. Many organisations begin the process without understanding the scale of documentation needed — including policies, procedures, configuration standards, scan reports, penetration test results, training records, and access reviews. Without a structured evidence management system, compliance efforts quickly become disorganised.

Not Engaging a QSA for Guidance

While SAQ D is a self-assessment, the complexity of the full PCI DSS standard makes QSA guidance extremely valuable. A QSA can validate your scoping, recommend compensating controls, interpret ambiguous requirements, and provide confidence that your self-assessment is accurate. Many breaches stem from incorrect self-assessment.

Ignoring Network Segmentation for Scope Reduction

Without proper network segmentation, every system on your network may be in scope for PCI DSS. Implementing validated segmentation between your cardholder data environment and other networks dramatically reduces the number of systems requiring PCI DSS controls. This is the single most impactful scope reduction strategy for SAQ D.

How GRCTrack Helps with SAQ D Compliance

Complete PCI DSS 4.0.1 control library with all 329 requirements mapped, guided, and evidence-linked

Structured evidence management system to organise documentation across all 12 requirement areas

Cross-framework mapping for organisations managing PCI DSS alongside ISO 27001, SOC 2, or GDPR

Network segmentation planning guidance to help reduce SAQ D scope and minimise compliance burden

QSA collaboration tools for sharing assessments, evidence, and remediation plans with your assessor

AI-powered compliance guidance built by certified QSAs to interpret requirements and suggest controls

SAQ D Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide RoC Checklist Assessment Process

Ready to Tackle SAQ D with Confidence?

GRCTrack structures the full PCI DSS standard into manageable workflows so you never lose track of a requirement.

Start Your SAQ D Assessment Compare SAQ Types