Who determines which SAQ type I need to complete?

Your acquiring bank (the bank that processes your card transactions) ultimately determines which SAQ type applies to your business. However, the PCI SSC provides detailed eligibility criteria for each SAQ type based on your payment architecture, transaction channels, and how you handle cardholder data. You should evaluate your payment environment against the eligibility criteria and discuss the appropriate SAQ with your acquirer. When in doubt, a Qualified Security Assessor (QSA) can provide definitive guidance.

What happens if I complete the wrong SAQ type?

Completing the wrong SAQ type is a serious compliance gap. If you self-assess under a simpler SAQ than your payment environment actually requires, you may have unaddressed security controls, leaving your environment vulnerable. In the event of a data breach, card brands and acquirers will evaluate whether you were correctly categorised. Incorrectly completing a simpler SAQ can result in increased fines, penalties, and liability. Always validate your SAQ selection with your acquirer.

Can my SAQ type change over time?

Yes. Your SAQ type can change whenever your payment environment changes. For example, if you move from a redirect-based checkout (SAQ A) to a JavaScript-based payment form (SAQ A-EP), your SAQ type changes. Similarly, if you implement a validated P2PE solution to replace standard terminals, you may move from SAQ C to SAQ P2PE. Any changes to how you accept, process, store, or transmit cardholder data should trigger a re-evaluation of your SAQ eligibility.

Do all merchants need to complete an SAQ?

All merchants who accept payment cards must validate PCI DSS compliance, but the method depends on their merchant level (determined by annual transaction volume) and their acquirer's requirements. Level 1 merchants (typically over 6 million transactions annually) generally require a Report on Compliance (RoC) from a QSA rather than an SAQ. Levels 2-4 typically complete an SAQ. Some acquirers may allow Level 2 merchants to complete an SAQ with QSA validation rather than a full RoC.

Is there an SAQ for merchants who do not handle cardholder data at all?

If your business truly never stores, processes, or transmits cardholder data in any form — including paper records — you may not need PCI DSS compliance at all. However, this is rare for merchants who accept card payments. Even merchants who fully outsource payment processing (SAQ A) still have some PCI DSS requirements. If you believe you have no cardholder data obligations, discuss this with your acquiring bank, as they ultimately determine your compliance requirements.

← PCI DSS 4.0.1 Compliance Guide

SAQ Selection Guide

PCI DSS SAQ Types — Which SAQ Do I Need?

Compare all 8 PCI DSS Self-Assessment Questionnaire types and determine which one applies to your business based on how you accept, process, and store payment card data.

The right SAQ depends on your payment architecture, transaction channels, and relationship with cardholder data.

Find Your SAQ Type Talk to a PCI Expert

A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool that allows merchants and service providers to self-evaluate their compliance with PCI DSS requirements. There are 8 SAQ types, each designed for a specific payment environment, ranging from SAQ A with approximately 22 requirements for fully outsourced payments to SAQ D with approximately 329 requirements for the full standard.

What Is a Self-Assessment Questionnaire (SAQ)?

A Self-Assessment Questionnaire (SAQ) is a validation tool used by merchants and service providers to demonstrate PCI DSS compliance. Created by the PCI Security Standards Council (PCI SSC), SAQs allow organisations to self-evaluate their adherence to PCI DSS requirements without undergoing a full on-site assessment by a Qualified Security Assessor (QSA).

There are 8 SAQ types, each tailored to a specific payment environment and level of cardholder data handling. The correct SAQ type depends on how your business accepts card payments, whether you store cardholder data, and the technology used in your payment infrastructure. Selecting the right SAQ is critical — completing the wrong one can leave security gaps and create compliance exposure.

All 8 SAQ Types at a Glance

SAQ A

~22

Card-not-present merchants who fully outsource payment processing

Redirect or iframe only. No electronic CHD storage, processing, or transmission.

View Guide

SAQ A-EP

~139

E-commerce merchants whose website affects payment data security

JavaScript payment forms, direct post. Website code controls payment page.

View Guide

SAQ B

~41

Merchants using imprint machines or standalone dial-out terminals

No electronic CHD storage. Standalone terminals not connected to the internet.

View Guide

SAQ B-IP

~82

Merchants using standalone PTS-approved payment terminals with IP connection

IP-connected terminals only. No electronic CHD storage on merchant systems.

View Guide

SAQ C

~160

Merchants with payment application systems connected to the internet

Payment application on a device connected to the internet. No electronic CHD storage.

View Guide

SAQ C-VT

~79

Merchants manually entering single transactions via virtual terminal

Web-based virtual terminal from third party. Manual key-entry only, no electronic CHD storage.

View Guide

SAQ D

~329

Merchants storing CHD or not qualifying for other SAQs; all service providers

Full PCI DSS standard. Two variants: Merchant and Service Provider.

View Guide

SAQ P2PE

~33

Merchants using validated PCI-listed Point-to-Point Encryption (P2PE) solutions

Hardware terminals with validated P2PE. No access to cleartext CHD.

View Guide

Which SAQ Do I Need? Decision Matrix

Walk through these questions to narrow down the SAQ type that applies to your business.

Do you store, process, or transmit cardholder data?

If your business never handles CHD in any form, you may not need PCI DSS compliance. Discuss with your acquirer to confirm.

Card-present or card-not-present transactions?

Card-not-present (e-commerce, MOTO) typically leads to SAQ A, A-EP, or D. Card-present (in-store) leads to SAQ B, B-IP, C, P2PE, or D.

Is payment processing fully outsourced?

If all payment processing is handled by a PCI DSS validated third party (redirect/iframe), you may qualify for SAQ A. Partial outsource with JavaScript forms suggests SAQ A-EP.

Do you use standalone terminals or networked systems?

Standalone dial-out terminals may qualify for SAQ B. IP-connected standalone terminals may qualify for SAQ B-IP. Networked payment applications typically require SAQ C or D.

Are you using a validated P2PE solution?

If you use a PCI-listed Point-to-Point Encryption solution and have no access to cleartext CHD, you may qualify for SAQ P2PE with approximately 33 requirements.

Do you store cardholder data electronically?

If you electronically store CHD (for recurring billing, transaction records, etc.), you likely need SAQ D regardless of other factors. Storage is the strongest scope driver in PCI DSS.

SAQ Comparison Table

SAQ Type	Merchant Type	Transaction Channel	Key Characteristic	Controls
SAQ A	CNP — fully outsourced	E-commerce, MOTO	Redirect / iframe only	~22
SAQ A-EP	E-commerce — partial outsource	E-commerce	Website affects payment security	~139
SAQ B	Imprint / dial-out terminal	Card-present	No internet connection	~41
SAQ B-IP	IP-connected terminal	Card-present	Standalone PTS terminal	~82
SAQ C	Payment app on internet	Card-present / CNP	Networked payment app	~160
SAQ C-VT	Virtual terminal only	MOTO / manual	Manual key-entry, no storage	~79
SAQ D	All other merchants / SPs	Any	Full PCI DSS standard	~329
SAQ P2PE	Validated P2PE hardware	Card-present	No cleartext CHD access	~33

SAQ Selection — Frequently Asked Questions

Related PCI DSS Resources

SAQ A Guide SAQ A-EP Guide SAQ D Guide PCI DSS 4.0.1 Guide Cost Calculator Readiness Assessment

Not Sure Which SAQ You Need?

GRCTrack's SAQ selection wizard evaluates your payment environment and recommends the correct SAQ type automatically.

Find Your SAQ Type View PCI DSS Framework