Skip to main content

PCI SAQ Questionnaire Guide

The PCI SAQ questionnaire is a self-validation tool that merchants and service providers use to assess their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants must complete the appropriate SAQ when they are required to validate compliance with their acquiring bank or payment brand. The SAQ is typically required annually, when significant changes occur to your cardholder data environment, or as specified by your acquirer or payment processor.

What Is a PCI SAQ?

The Self-Assessment Questionnaire (SAQ) is used by merchants and service providers to validate PCI DSS compliance without a full audit. Instead of engaging a Qualified Security Assessor (QSA) for a Report on Compliance (ROC), eligible organizations can complete the applicable SAQ and submit an Attestation of Compliance (AOC) to demonstrate they meet the required security controls.

Types of PCI SAQ

The PCI Security Standards Council offers several SAQ types, each tailored to different payment acceptance methods and system configurations. Selecting the correct SAQ depends on your payment flow, how cardholder data is handled, and your system scope.

  • SAQ A — For card-not-present merchants who outsource all cardholder data functions to validated third parties.
  • SAQ A-EP — For ecommerce merchants whose website can impact the security of the cardholder data environment.
  • SAQ B — For merchants using only imprint machines or standalone dial-out terminals.
  • SAQ B-IP — For merchants using standalone IP-connected payment terminals.
  • SAQ C — For merchants with payment applications connected to the Internet but no electronic cardholder data storage.
  • SAQ C-VT — For merchants who manually enter card data via a virtual terminal on a single computer.
  • SAQ P2PE — For merchants using validated point-to-point encryption (P2PE) solutions.
  • SAQ D — For merchants who store, process, or transmit cardholder data, or who do not meet the criteria for other SAQ types.

How to Determine the Correct SAQ

Merchants must understand their cardholder data flow, payment processing method, and system connectivity to select the right SAQ. Mapping how card data enters, moves through, and leaves your environment is essential. Incorrect SAQ selection can lead to compliance issues, failed validations, or unnecessary control requirements. Your acquirer or payment processor can provide guidance, but a structured assessment can help you confidently identify the applicable SAQ.

Use the ComplianceAstra assessment tool to determine which PCI SAQ applies to your business and get plain-English guidance.