PCI DSS SAQ Selector & Evidence Checklist

Determine your likely PCI DSS v4.0 Self-Assessment Questionnaire type.
Assessment Questionnaire
Please answer all visible questions.

About the PCI DSS SAQ Selector & Evidence Checklist

Merchants and IT security teams can eliminate confusion during compliance reporting with our streamlined PCI DSS SAQ selector. By answering straightforward questions about how your business processes, stores, and transmits credit card data, you can instantly identify which Self-Assessment Questionnaire (such as A, A-EP, or D) applies to your environment. This provides a clear checklist of required evidence to satisfy your acquiring bank.

How it works

  1. Select your primary payment channels, such as e-commerce, mail order, or physical point-of-sale terminals.
  2. Specify how cardholder data is handled, whether it is outsourced to a third party, entered via a terminal, or touches your internal network.
  3. Confirm whether your organization stores any cardholder data electronically after authorization.
  4. Review your recommended SAQ type and download the associated compliance evidence checklist.

Frequently asked questions

What is the difference between SAQ A and SAQ A-EP?

SAQ A is for e-commerce merchants who fully outsource all cardholder data functions to PCI-compliant third parties, using iframes or URL redirects. SAQ A-EP applies when merchants outsource payment processing but control the website that dictates how data is transmitted, meaning their site could impact security.

Who is required to complete SAQ D?

SAQ D is the most comprehensive questionnaire. It applies to merchants who do not meet the strict criteria of any other SAQ type, as well as to all eligible service providers.

Can I use SAQ B-IP if I have an e-commerce website?

No, SAQ B-IP is specifically for merchants using standalone, PTS-approved payment terminals with an IP connection to the payment processor. It does not apply to e-commerce environments.

How often do I need to submit a PCI DSS SAQ?

Merchants are typically required to complete and submit a Self-Assessment Questionnaire, along with an Attestation of Compliance (AOC), on an annual basis to their acquiring bank or payment processor.

Does achieving PCI compliance guarantee I won't suffer a data breach?

No, PCI compliance is a baseline of security standards. While it significantly reduces risk, continuous security monitoring and adherence to best practices are required to protect against evolving threats.

References