What is a PCI DSS SAQ?
A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS. Each SAQ corresponds to a different payment processing environment.
Because different payment methods carry varying levels of risk, the SAQ forms range significantly in length and complexity. Filling out the wrong SAQ could mean you are missing critical security controls or unnecessarily auditing parts of your network that never touch cardholder data.
Who Needs to Complete an SAQ?
Any merchant that processes card payments but does not meet the transaction volume threshold requiring an on-site assessment by a Qualified Security Assessor (QSA) generally qualifies to self-assess. Typically, this covers Level 2, Level 3, and Level 4 merchants.
Even if you completely outsource your payment processing to a third party like Stripe or PayPal, you are still required to comply with PCI DSS and file the appropriate SAQ to prove you handle the outsourced integration securely.
Understanding Common SAQ Types
The PCI Security Standards Council provides several SAQ variations. SAQ A is for merchants who fully outsource all cardholder data functions to PCI-compliant third-party service providers, meaning the merchant retains only paper reports or receipts with masked card numbers. E-commerce merchants using an iframe or redirect to a third-party processor use SAQ A.
SAQ A-EP is for e-commerce merchants who outsource payment processing but control how the payment page is delivered to the consumer, meaning their website could impact the security of the payment transaction.
SAQ B is for merchants using only imprint machines or standalone dial-out terminals. SAQ C applies to merchants with payment application systems connected to the internet but not storing electronic cardholder data. SAQ P2PE is for merchants using validated point-to-point encryption hardware. Finally, SAQ D is the comprehensive fallback questionnaire for anyone who doesn't meet the strict criteria of the other SAQs, or who stores electronic cardholder data.
- SAQ A: Fully outsourced e-commerce or mail/telephone order.
- SAQ A-EP: Partially outsourced e-commerce with merchant website control.
- SAQ C: Internet-connected payment applications, no electronic storage.
- SAQ D: Catches all remaining environments; mandatory if storing card data.
Required Evidence and Attestation
Beyond simply checking boxes on the questionnaire, merchants must gather evidence to support their claims. Depending on the SAQ type, this evidence might include network diagrams, quarterly vulnerability scan reports from an Approved Scanning Vendor (ASV), and written security policies.
After completing the questionnaire, a company officer must sign an Attestation of Compliance (AoC) legally declaring that the business meets all the security standards detailed in the specific SAQ.
Frequently asked questions
If I use Stripe or PayPal, do I still need to fill out a PCI SAQ?
Yes. Even if a third-party handles the card data, you still have responsibilities regarding how your systems connect to them, usually covered by SAQ A or SAQ A-EP.
What happens if I select the wrong SAQ?
Selecting the wrong SAQ can result in non-compliance fines from your acquiring bank, as you may fail to implement and report on security controls that your specific environment requires.
Do I need to hire an auditor to complete an SAQ?
No, an SAQ is a Self-Assessment Questionnaire designed to be completed by the merchant internally. However, some complex networks may benefit from consultant guidance.
What is an ASV scan, and do all SAQs require it?
An ASV scan is a network vulnerability scan performed by an Approved Scanning Vendor. It is not required for all SAQs (like SAQ A), but is mandatory for internet-facing environments like SAQ A-EP and SAQ C.