Choosing the Right PCI SAQ for Your Business

There are eight different types of PCI self-assessment questionnaires. Which one is right for your organization?
Troy Fine

by Troy Fine

February 10, 2022
Choosing the Right PCI SAQ for Your Business

Although data breaches in the U.S. have decreased over the last several years, credit card breaches still represent a significant risk to businesses, with the average data breach costing $3.86 million. To protect consumers’ credit card data, companies that process, store, or transmit credit card data must meet the PCI DSS (Payment Card Industry Data Security Standard).

Depending on your specific validation requirements, you may only be required to submit a self-assessment questionnaire—also referred to as PCI SAQ. An SAQ can ask you anywhere from under 50 to over 300 questions to determine if you meet those requirements. To help you figure out which SAQ best fits your business, we break down each type below. 

SAQ Types

Companies that receive credit card data range from e-commerce retailers to mom-and-pop storefronts. The type of SAQ that will be needed will depend on the characteristics of how credit card data is processed.




Card-not-present merchants (e-commerce or order-by-mail/telephone) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels.


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction.

No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Applicable only to e-commerce channels.


Merchants using only imprint machines with no electronic cardholder or standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only standalone, PIN Transaction Security approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. 

Not applicable to e-commerce channels.


Merchants with payment application systems connected to the internet, no electronic cardholder data storage. 

Not applicable to e-commerce channels.


Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. 

No electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. 

Not applicable to e-commerce channels.


SAQ D for Merchants: Applies to any merchant that doesn’t fit into any other SAQ types. 

SAQ D for Service Providers: Applies to all service providers defined by a payment card brand as eligible to complete a SAQ. Also applies to third-party vendors providing services that impact the security of a merchant’s or service provider’s cardholder data environment.

Frequently Asked Questions

Here are a few frequently asked questions on PCI to help you determine if this framework applies to your business, find more information on their requirements and guidelines, and choose the right SAQ. 

Does PCI DSS Apply to My Business?

PCI DSS applies to two types of organizations—merchants and service providers.Merchants are defined as any entity that accepts payment cards as payments for goods or services.

Service providers are defined as entities directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. It also includes third-party service providers that control or could impact the security of cardholder data. 

In addition, if you are considered a third-party vendor to a merchant or service provider and your services impact their cardholder data environment, then your validation requirements should be documented in your contracts with those merchants and service providers.

If you need help determining your validation requirements, reach out to your merchant bank or to the entity requesting validation to the PCI DSS. T

he goals of PCI are to ensure that organizations maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain information security policies. 

Where Can I Find More Information on PCI DSS? 

The PCI Security Standards Council (PCI SSC) manages the PCI DSS and each payment card brand (VISA, American Express, Mastercard, etc.) maintains its own separate compliance enforcement programs. 

Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing SAQs, and when to engage a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC).

To find this information, here are a few places on the PCI SSC website you can start with: 

How do I Choose the Right One?

Before deciding on which SAQ to use, you will need to determine if you are required to engage a QSA to perform an audit and complete a ROC. To determine if a ROC will be required:

  • Merchants and service providers should review the validation requirements specified by each payment brand. 

  • Merchants should inquire with their merchant bank. 

  • Vendors working with merchants and service providers should review their contracts to determine their validation requirements.

If a ROC is not required, then you will more than likely be required to complete an SAQ. To choose the right SAQ, the first step will be to determine if you are considered a merchant or a service provider as defined by the PCI DSS. 

If you are a merchant, you should review the different types of SAQs and consider the operational flow and processes by which you handle credit card transactions. If you are a service provider or third-party vendor, then you will be required to complete the SAQ-D for service providers.

If you’re ready to get started on PCI and ensure you’re processing and storing cardholder data securely, book a demo with our team. 

Trusted Newsletter
Resources for you
New Launches From Drataverse

New Launches From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Image - SOC 2 penetration test list

Penetration Tests and SOC 2: Preference, Tradition, or Requirement?

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
PCI DSS 4.0 Blog Thumbnail 936 x 531

PCI DSS v4.0: Everything You Need To Prepare for the March 2024 Deadline


What Is a PCI ROC + When Do You Need One?

PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

PCI Compliance Checklist Hero

PCI DSS Compliance Checklist: Understanding the 12 Requirements