Choosing the Right PCI SAQ for Your Business

Troy Fine

by Troy Fine

February 10, 2022
Choosing the Right PCI SAQ for Your Business
There are eight different types of PCI self-assessment questionnaires. Which one is right for your organization?

Although data breaches in the U.S. have decreased over the last several years, credit card breaches still represent a significant risk to businesses, with the average data breach costing $3.86 million. To protect consumers’ credit card data, companies that process, store, or transmit credit card data must meet the PCI DSS (Payment Card Industry Data Security Standard).

Depending on your specific validation requirements, you may only be required to submit a self-assessment questionnaire—also referred to as PCI SAQ. An SAQ can ask you anywhere from under 50 to over 300 questions to determine if you meet those requirements. To help you figure out which SAQ best fits your business, we break down each type below. 

SAQ Types

Companies that receive credit card data range from e-commerce retailers to mom-and-pop storefronts. The type of SAQ that will be needed will depend on the characteristics of how credit card data is processed.




Card-not-present merchants (e-commerce or order-by-mail/telephone) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers.

No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels.


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction.

No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Applicable only to e-commerce channels.


Merchants using only imprint machines with no electronic cardholder or standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only standalone, PIN Transaction Security approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. 

Not applicable to e-commerce channels.


Merchants with payment application systems connected to the internet, no electronic cardholder data storage. 

Not applicable to e-commerce channels.


Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. 

No electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. 

Not applicable to e-commerce channels.


SAQ D for Merchants: Applies to any merchant that doesn’t fit into any other SAQ types. 

SAQ D for Service Providers: Applies to all service providers defined by a payment card brand as eligible to complete a SAQ. Also applies to third-party vendors providing services that impact the security of a merchant’s or service provider’s cardholder data environment.

Frequently Asked Questions

Here are a few frequently asked questions on PCI to help you determine if this framework applies to your business, find more information on their requirements and guidelines, and choose the right SAQ. 

Does PCI DSS Apply to My Business?

PCI DSS applies to two types of organizations—merchants and service providers.Merchants are defined as any entity that accepts payment cards as payments for goods or services.

Service providers are defined as entities directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. It also includes third-party service providers that control or could impact the security of cardholder data. 

In addition, if you are considered a third-party vendor to a merchant or service provider and your services impact their cardholder data environment, then your validation requirements should be documented in your contracts with those merchants and service providers.

If you need help determining your validation requirements, reach out to your merchant bank or to the entity requesting validation to the PCI DSS. T

he goals of PCI are to ensure that organizations maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain information security policies. 

Where Can I Find More Information on PCI DSS? 

The PCI Security Standards Council (PCI SSC) manages the PCI DSS and each payment card brand (VISA, American Express, Mastercard, etc.) maintains its own separate compliance enforcement programs. 

Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing SAQs, and when to engage a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC).

To find this information, here are a few places on the PCI SSC website you can start with: 

How do I Choose the Right One?

Before deciding on which SAQ to use, you will need to determine if you are required to engage a QSA to perform an audit and complete a ROC. To determine if a ROC will be required:

  • Merchants and service providers should review the validation requirements specified by each payment brand. 

  • Merchants should inquire with their merchant bank. 

  • Vendors working with merchants and service providers should review their contracts to determine their validation requirements.

If a ROC is not required, then you will more than likely be required to complete an SAQ. To choose the right SAQ, the first step will be to determine if you are considered a merchant or a service provider as defined by the PCI DSS. 

If you are a merchant, you should review the different types of SAQs and consider the operational flow and processes by which you handle credit card transactions. If you are a service provider or third-party vendor, then you will be required to complete the SAQ-D for service providers.

If you’re ready to get started on PCI and ensure you’re processing and storing cardholder data securely, book a demo with our team. 

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.


The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
SOC 2 policies

12 Commonly Recommended Security Policies for SOC 2

Drata + AssuranceLab

Why AssuranceLab Joined Drata’s Auditor Alliance

Asset - Compliance Uncomplicated - Nemean Services

Compliance Uncomplicated Episode 5: An InfoSec Perspective to Digital Security Success With Nemean Services

Troy Fine
Troy Fine
Director of Risk & Compliance