How to Determine Which PCI SAQ You Need for Your Business

A PCI SAQ (Self-Assessment Questionnaire) is a common method for evaluating and validating a business’s card data security standards. However, there are different types of SAQs for varying merchant types and the transactions they process.

It’s important to choose the right PCI SAQ for your business so you can ensure your security standards are robust and that you can prove compliance to processors, acquiring banks, and clients.

In this guide, we explore what PCI SAQs are, how to select the right form(s), and common mistakes to avoid when assessing and filing.

What Is a PCI Compliance Assessment?

Completing a PCI compliance assessment usually means deciding which type of validation path your business requires. For most merchants, that means choosing the right SAQs, filing AOCs (Attestations of Compliance), and conducting ASV (Approved Scanning Vendor) scans where required.

The validation paths available include:

• SAQs: Self-assessed checklists that ensure you’re meeting all 12 PCI DSS compliance requirements.
• AOCs: Submitted confirmation that you’re meeting compliance standards, or taking steps to do so.
• ASV scan reports: Quarterly vulnerability scanning results from PCI SSC-approved vendors.
• ROCs: Reports of Compliance, which are externally validated by qualified assessors, usually reserved for larger businesses.

Card brands such as Visa and Mastercard define merchant compliance levels, while acquiring banks and payment processors enforce the specific validation requirements for each level. For example, as a merchant, there are four general levels to assess your business by:

• Level 1: You process more than six million annual transactions, and need to file an external ROC and validated audit, along with an AOC.
• Level 2: You process between one and six million annual transactions. Validation requirements vary by card brand and acquirer, but typically include completing an SAQ, submitting an AOC, and undergoing quarterly ASV scans. Some card brands, such as Visa, may encourage or require Level 2 merchants to complete a ROC with a QSA rather than an SAQ, at the acquirer’s discretion and particularly following a data breach.
• Level 3: You process between 20,000 and one million annual transactions, and need to file an SAQ, an AOC, and quarterly ASV scan reports.
• Level 4: You process fewer than 20,000 annual e-commerce transactions (or up to one million total transactions), with validation requirements that vary by acquirer and environment. An SAQ and AOC are commonly required, while ASV scanning depends on system exposure.

Define PCI Scope: Where Cardholder Data Touches Your Environment

Your PCI scope determines the extent to which cardholder data is accepted, stored, transmitted, and used within your organization. There are currently ten SAQ variations defined by PCI DSS, although not all SAQ types apply to every business or payment environment.

Examples of different PCI scopes include:

• An online business processing data via a payment form
• A merchant that outsources card handling and doesn’t store data on-site
• A trader using a PIN-based terminal that connects to processors

Before you take further steps to get compliant, you also need to consider whether or not you hold/store cardholder data, as this too will determine the type of SAQ you need to file.

How to Select the Correct SAQ: Screening Questions to Ask

Here are a few questions to ask yourself during an assessment to determine the correct SAQ for your business.

Is card data entered on a fully hosted payment page (redirect or hosted checkout)?

In these cases, you will typically need to file an SAQ-A, which covers merchants running “card-not-present.” You’ll need to avoid storing or transmitting card data on-site.

Do staff members key card payments through a virtual terminal (card-not-present)?

Here, you’d need to file an SAQ C-VT, which covers merchants that run third-party virtual terminals through devices that are completely isolated. Again, you must not store card data if filing this SAQ.

Are payments accepted only through standalone terminals (not through POS software on a computer)?

In this case, SAQ B is the most appropriate choice for your PCI scope. SAQ B applies to merchants using standalone dial-out terminals (or imprint machines) that do not connect to the internet and do not electronically store cardholder data. These are non-IP connected devices only.

Is your POS system connected to your network and/or the internet?

SAQ C typically applies when payment applications are internet-connected but properly segmented from all other systems within the environment, and when no cardholder data is stored electronically. The key distinction is that your payment system must be isolated on its own network segment. If it’s connected to other business systems without proper segmentation, SAQ D is more likely to apply.

Does your website or app handle any part of the checkout experience (even if a gateway processes the payment)?

If you only partially process cardholder data through a payment page, you’ll normally need to file SAQ A-EP, again, without holding said data on-site.

Do you store cardholder data in any form (even temporarily)?

If no other SAQ types apply due to the data you hold, you will normally need to file SAQ D Merchant or SAQ D Service Provider.

SAQ Types at a Glance

We break down all ten types in our guide to what SAQ means, however, here is a short breakdown of what each type covers and where you are likely to fit:

• SAQ A: For cards not present and payment outsourcing
• SAQ A-EP: For partial data processing online
• SAQ B: For standalone terminals
• SAQ B-IP: For PIN / Points of Interaction that connect
• SAQ C: For internet-connected applications
• SAQ C-VT: For third-party virtual terminals on isolated devices
• SAQ D Merchant: For merchants that hold card data on-site
• SAQ D Service Provider: As above, for service providers
• SAQ P2PE: For point-to-point, PCI-verified payments
• SAQ SPoC: For merchants using PCI-validated Software-based PIN Entry on commercial off-the-shelf solutions (COTS) (SPoC).

SAQ Selection Matrix: Common Payment Setups and Typical SAQ Alignment

Here’s a short guide our experts recommend to help you align your payment setup with the SAQ that most commonly applies:

‍

Remember, if you store any cardholder data on-site, you will need to file a SAQ D. All other SAQ types require that cardholder data is not stored within your environment and that payment processing is appropriately outsourced or tightly controlled based on PCI scope.

Common Mistakes That Lead to the Wrong SAQ Selection

Many business owners accidentally choose the wrong SAQ when assessing PCI scope; for example, they may overlook the fact that they store data, or misunderstand their payment terminal setup.

Common mistakes to avoid include:

• Not accounting for data stored or making assumptions (you’ll typically need SAQ D)
• Mislabeling your business as a merchant when you are a service provider
• Rushing the SAQ selection process
• Ignoring third-party processors and outsourcing
• Assuming all SAQs serve the same purposes (selecting the wrong form could lead to processor penalties if you fail to prove compliance)
• Overlooking network segmentation and certain connections
• Trusting vendors instead of validating information yourself

What You’ll Need to Complete PCI Validation

To ensure you account for the true cost of PCI compliance and that you take the right steps to comply, we recommend the following documentation and evidence checklist:

1. A clear indication of your compliance level (check with your processor if unsure)
2. Your relevant SAQ if applicable (following our advice above)
3. An AOC to confirm you have taken the steps outlined in your SAQ
4. An ROC, if applicable, undertaken by a QSA (Qualified Security Assessor)
5. Quarterly ASV reports to demonstrate that you have undertaken vulnerability scanning

It’s good practice to explore PCI SSC’s DSS V4.x Resource Hub, which brings together documents and advice to help you prepare for compliance and to maintain a strong data security standard for as long as you trade.

Always ensure to read advice on PCI DSS V4.0, as while there are older resources available, PCI SSC has updated its standards and expectations to reflect the changing landscape of payment data protection.

“The SAQs have been updated to reflect the PCI DSS v4 requirements updates, so that the requirement wording in the SAQs now mirrors that which is used in the standard, and the SAQ reporting responses are aligned with the PCI DSS v4 Report on Compliance template. Additionally, each SAQ contains new guidance to support organizations completing the self-assessment process.”

PCI SSC

Conclusion

Navigating different SAQs and deciding on which forms best fit your business’s processes can be challenging at first. However, taking the time to understand your PCI scope will help you build a more robust cybersecurity profile and ensure you can always provide evidence to back up your preparations.

Invest in SecureTrust PCI Manager and start taking the hassle and headaches out of ongoing compliance and all its reporting.

FAQs

Let’s close with a few key questions regarding choosing SAQs for your PCI compliance requirements.

Who decides which SAQ I need?

Your payment processor or acquiring bank will determine which SAQ is right for your business’s PCI scope. This is based on your transaction volumes, how you process cardholder data, and whether or not you store it.

How often do you need to fill out the PCI SAQ?

You must complete a PCI SAQ once a year, alongside ongoing commitments to compliance. For example, you must run vulnerability scans with approved vendors (ASVs) at least quarterly.

What happens if I submit the wrong SAQ?

Submitting the wrong SAQ essentially leaves your business non-compliant for PCI DSS. That means you are at risk of financial penalties, processor restrictions, and greater scrutiny until you attest to compliance and submit the correct documentation.