Skip to main content

PCI DSS SAQ Tool

Determining the correct Self-Assessment Questionnaire (SAQ) is a critical first step for any merchant handling cardholder data. The wrong SAQ can lead to unnecessary compliance burden or, worse, gaps in your security posture.

What Is a PCI DSS SAQ?

A PCI DSS SAQ (Self-Assessment Questionnaire) is a validation tool that merchants use to self-assess their compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council provides several SAQ types, each designed for different merchant environments and card-acceptance methods.

Why Merchants Must Determine the Correct SAQ

Using the wrong SAQ can result in incomplete assessments, failed audits, or unnecessary effort. Your acquiring bank or payment brand may require you to validate compliance using a specific SAQ based on how you store, process, or transmit cardholder data. Getting it right from the start saves time and reduces compliance risk.

Common SAQ Types

  • SAQ A — For merchants who outsource all cardholder data functions to validated third parties (e.g., fully outsourced ecommerce).
  • SAQ A-EP — For ecommerce merchants whose website can impact the security of the cardholder data environment, even if they do not directly handle card data.
  • SAQ D — For merchants who store, process, or transmit cardholder data, or who do not meet the criteria for other SAQ types.

Not sure which SAQ applies to you? Use our guided assessment to determine your scope and SAQ type.