What if my business spans multiple SAQ types?

If your business has multiple payment channels that qualify for different SAQ types, you generally need to complete the most comprehensive SAQ that covers all your channels, or you may segment your environments and complete separate SAQs for each. For example, if you have an e-commerce site (SAQ A) and a retail location with IP-connected terminals (SAQ B-IP), you could segment these environments and complete each SAQ independently. However, if environments share systems or networks, the broader SAQ applies. Consult your acquiring bank or a QSA for guidance on segmentation strategies.

Can my acquirer override the SAQ selection?

Yes. Your acquiring bank (the bank that processes your card transactions) has the final authority on which SAQ type you must complete. While the PCI SSC provides eligibility criteria, your acquirer may impose additional requirements based on your transaction volume, risk profile, or history of breaches. Some acquirers require SAQ D for all merchants regardless of size, while others may accept a simpler SAQ type. Always confirm your SAQ selection with your acquirer before beginning your assessment.

What happens if I choose the wrong SAQ?

Choosing the wrong SAQ can have serious consequences. If you complete a simpler SAQ than required, you may have unaddressed security gaps that leave cardholder data at risk. In the event of a data breach, an incorrect SAQ determination can result in higher fines, increased liability, mandatory forensic investigations at your expense, and potential loss of card processing privileges. Your acquirer may also require you to retroactively complete the correct SAQ and impose penalties for the initial misclassification.

Is there a simpler way to determine my SAQ?

The PCI SSC publishes an official SAQ instruction document with detailed eligibility criteria for each type. Many acquiring banks also provide SAQ selection tools or guidance. GRCTrack offers an automated SAQ type selector that asks targeted questions about your payment architecture and recommends the appropriate SAQ type. For complex environments, consulting a Qualified Security Assessor (QSA) is the most reliable way to ensure correct SAQ classification.

How often do I need to reassess my SAQ type?

You should reassess your SAQ type annually as part of your PCI DSS compliance cycle, and whenever you make significant changes to your payment processing environment. Adding a new payment channel, switching payment processors, changing your e-commerce integration method, or expanding to new business models can all affect your SAQ eligibility. PCI DSS v4.0.1 also introduced new requirements that may change your SAQ type — for example, additional script management obligations for merchants previously on SAQ A.

Do service providers use SAQs?

Service providers that store, process, or transmit cardholder data on behalf of other entities typically use SAQ D for Service Providers or undergo a full Report on Compliance (ROC) assessment by a QSA. The SAQ decision tree primarily applies to merchants. Service providers have different validation requirements based on their transaction volume and the card brands they support. Level 1 service providers are always required to complete a ROC.

← All SAQ Types

SAQ Decision Guide

PCI DSS SAQ Decision Tree: Find Your Assessment Type

Not sure which PCI DSS Self-Assessment Questionnaire applies to your organization? Walk through our step-by-step decision tree to determine the right SAQ type based on how you handle cardholder data.

Six questions stand between you and the correct SAQ classification. Answer each one honestly to narrow down your assessment type.

Start Automated SAQ Selector View All SAQ Types

How the SAQ Decision Process Works

The PCI Security Standards Council defines nine SAQ types, each tailored to a specific payment processing environment. Selecting the correct SAQ depends on how your organization accepts, processes, stores, and transmits cardholder data — as well as which payment channels and technologies you use.

The decision tree below guides you through a series of yes-or-no questions about your payment infrastructure. Each answer either identifies your SAQ type or narrows the possibilities further. Start at Step 1 and follow the path that matches your environment.

SAQ Decision Tree

Do you store, process, or transmit cardholder data?

The first question determines whether PCI DSS applies to your organization at all. Cardholder data includes the primary account number (PAN), cardholder name, expiration date, and service code. If your business never touches card data in any form — for example, you only accept cash or bank transfers — PCI DSS may not apply.

Yes

Continue to Step 2

You may not need PCI DSS compliance. Confirm with your acquirer.

Are all your payment channels card-not-present (e-commerce, MOTO)?

Card-not-present (CNP) transactions include e-commerce purchases, mail orders, and telephone orders where the physical card is not swiped, dipped, or tapped. If all your payment acceptance methods are CNP, you are likely eligible for SAQ A or SAQ A-EP, depending on how your payment page is integrated.

Yes

Likely SAQ A or SAQ A-EP depending on payment integration

You have card-present channels. Continue to Step 3.

Do you use a PCI-validated Point-to-Point Encryption (P2PE) solution?

PCI-validated P2PE solutions encrypt cardholder data at the point of interaction (the terminal) and decrypt it only in the secure decryption environment of the solution provider. If your P2PE solution appears on the PCI SSC list of validated P2PE solutions, you qualify for the simplified SAQ P2PE assessment.

Yes

SAQ P2PE — simplified assessment for validated P2PE merchants

Continue to Step 4

Do you only use standalone dial-out terminals with no electronic storage?

Standalone dial-out terminals connect to the payment processor over a traditional phone line and do not store cardholder data electronically. These terminals are not connected to your network or the internet. If this is your sole payment channel, you qualify for SAQ B — one of the simplest card-present assessments.

Yes

SAQ B — standalone dial-out terminals only

Continue to Step 5

Do you only use IP-connected payment terminals (no electronic cardholder data storage)?

IP-connected terminals communicate with the payment processor over your network or the internet but do not store cardholder data after authorization. This includes countertop terminals, PIN pads, and mobile card readers that connect via Ethernet, Wi-Fi, or cellular. Depending on whether your terminal has a payment application, you qualify for SAQ B-IP or SAQ C.

Yes

SAQ B-IP or SAQ C — IP-connected terminals without storage

Continue to Step 6

Do you only process payments via a web-based virtual terminal?

A virtual terminal is a web browser-based payment entry interface provided by your payment processor. An operator manually keys in card numbers for phone or mail orders. If the virtual terminal is your only method of accepting card payments and you do not store cardholder data electronically, you qualify for SAQ C-VT.

Yes

SAQ C-VT — virtual terminal only, no electronic storage

SAQ D — the comprehensive self-assessment applies

SAQ Type Summary

The following table provides a quick reference for each SAQ type, including the key eligibility criteria, approximate number of requirements, and the typical merchant profile.

SAQ Type	Key Criteria	Requirements	Typical Merchant
SAQ A	Card-not-present, fully outsourced payment page (redirect/iframe)	~22	E-commerce with hosted checkout, MOTO
SAQ A-EP	Card-not-present, website affects payment data security (JS SDK)	~191	E-commerce with embedded payment forms
SAQ B	Standalone dial-out terminals only, no electronic CHD storage	~41	Small retail with phone-line terminals
SAQ B-IP	IP-connected PTS terminals, no electronic CHD storage	~82	Retail with networked terminals
SAQ C	Payment application on IP-connected terminal, no CHD storage	~160	Retail with POS payment applications
SAQ C-VT	Web-based virtual terminal only, no electronic CHD storage	~79	MOTO merchants keying data into browser
SAQ P2PE	PCI-validated P2PE hardware terminals	~33	Retail using validated P2PE devices
SAQ D (Merchant)	All other merchants not qualifying for above types	~329	Merchants storing CHD, complex environments
SAQ D (SP)	Service providers storing, processing, or transmitting CHD	~329	Payment gateways, hosting providers

Explore Individual SAQ Guides

Once you have determined which SAQ applies to your organization, dive deeper into the specific requirements and compliance guidance for your SAQ type.

SAQ A Guide SAQ A-EP Guide SAQ D Guide All SAQ Types Overview PCI DSS 4.0.1 Guide QSA Assessment Guide

Start Your SAQ Assessment with GRCTrack

GRCTrack automates SAQ type selection and walks you through every applicable requirement with guided workflows, evidence collection, and QSA-built compliance intelligence.

Start Your Assessment Compare All SAQ Types

SAQ Decision Tree — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types SAQ A Guide SAQ A-EP Guide SAQ D Guide PCI DSS 4.0.1 Guide QSA Assessment Guide Which SAQ Do I Need?