PCI SAQ: Which self-assessment form should my business complete?

The conversation goes something like this:

“What do you mean we did the wrong form?”

“You did the wrong self-assessment questionnaire.”

“I don’t understand, we picked it based on the name of the form.”

“Well, the criteria are right there in the form itself, did you stop and look at that?”

That conversation has happened before, and most probably will happen again. Through lack of experience, being a part time compliance person, or just being in a hurry, many people want to get the PCI assessment process done and over with, so they jump right into completing a self-assessment questionnaire (SAQ) and don’t look to see if they are filling out the right form.

PCI SAQ: Which self-assessment form should my business complete?


Learn about SecureTrust Self-Assessment Consulting – designed to help entities understand their obligations, complete their SAQ and comply with the PCI DSS.


Self-assessments are just that, conducted by and for yourself as an organization.

There are nine SAQ forms on the PCI Standards Council website. Contained in the first section of each form, under “Before You Begin,” are the eligibility requirements for that given form. Read these carefully. They could help you avoid re-work, or worst yet, having to file a second SAQ.

The eligibility requirements are very explicit, in much of the same prescriptive format as the PCI DSS is structured. For instance, SAQ C-VT has an eligibility requirement, “Your company’s only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser.”  Succinct and to the point. If you don’t meet that criteria, then move on and look at other SAQ forms. There are several eligibility requirements on each SAQ form. You must ensure you meet each one of those in order to use the SAQ form. Even the failure of meeting one of the eligibility requirements is grounds to not use that SAQ form.

Researching "Which PCI compliance SAQ form should my business complete?"

Each SAQ form is an abbreviation of the full list of requirements, with the exception of SAQ-D.

SAQ-D, of which there is a Merchant version and a Service Provider version, is directly equivalent to the entire Report on Compliance that is performed by a QSA conducting an external assessment. In other words, the entire PCI DSS. If you can’t meet the criteria of the other SAQ forms, then you probably need to do a SAQ-D, but ultimately, the best judge of that is your acquirer. Have the conversation with them and come to an agreement on which form to complete. If you’re a service provider, you must do SAQ-D, none of the other forms are eligible.

But if you want to avoid sticky conversations like the conversation at the beginning of this post, review the eligibility requirements. You know your environment better than anyone else on the planet. You can then have the conversation with your boss about how you completed the assignment, not how you’re going to have to do it again because the wrong form was chosen.


Learn how SecureTrust can save your team time, safeguard sensitive data and streamline the PCI compliance process.


Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years.

Written by Drew Cathey

Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.