SAQ Selection Guide: Which PCI DSS SAQ Do You Need?

Understanding SAQ Selection

Selecting the correct Self-Assessment Questionnaire (SAQ) is one of the most consequential decisions in your PCI DSS compliance journey. The wrong choice can result in an incomplete assessment, compliance gaps, or unnecessary effort spent on requirements that do not apply to your environment.

This guide examines each SAQ type, its eligibility criteria, and the factors that determine which questionnaire applies to your organization.

---

The SAQ Landscape in PCI DSS 4.0

PCI DSS provides multiple SAQ types designed for different merchant environments and payment acceptance methods. Each SAQ contains a subset of PCI DSS requirements applicable to specific scenarios.

The available SAQ types are:

- SAQ A: Card-not-present merchants with fully outsourced payment functions - SAQ A-EP: E-commerce merchants with websites that affect payment page security - SAQ B: Merchants using imprint machines or standalone dial-out terminals - SAQ B-IP: Merchants using standalone, IP-connected PTS POI terminals - SAQ C: Merchants with payment application systems connected to the internet - SAQ C-VT: Merchants using web-based virtual terminals - SAQ P2PE: Merchants using validated PCI P2PE solutions - SAQ D for Merchants: All other merchant environments - SAQ D for Service Providers: Service providers not completing a ROC

---

SAQ A: The Fully Outsourced Model

Who Qualifies

SAQ A applies to card-not-present merchants (e-commerce and mail/telephone order) who have outsourced all cardholder data functions to PCI DSS validated third parties.

Key Eligibility Criteria

To qualify for SAQ A, your organization must meet ALL of these conditions:

For E-commerce: - Your entire payment page is hosted and served by a PCI DSS compliant third-party payment processor - Customers are redirected to the processor's site or use a payment form entirely hosted by the processor - No elements of your website directly receive cardholder data - You have confirmed your payment processor's PCI DSS compliance

For Mail/Telephone Order (MOTO): - Cardholder data is received via phone, fax, or mail - Data is entered directly into a third-party virtual terminal - No electronic cardholder data is stored on your systems

Common Disqualifiers

You cannot use SAQ A if: - Your website hosts any portion of the payment page (including iframes) - JavaScript from your site interacts with payment data collection - You store electronic cardholder data, even temporarily - You accept in-person card transactions

Requirements Covered

SAQ A contains approximately 22 requirements, primarily focused on: - Service provider management and due diligence - Physical security for any paper records - Information security policies

---

SAQ A-EP: E-commerce with Security Impact

Who Qualifies

SAQ A-EP applies to e-commerce merchants whose websites impact the security of payment transactions, even though cardholder data is submitted directly to a third-party processor.

Key Eligibility Criteria

SAQ A-EP applies when: - Cardholder data is entered on payment pages hosted entirely by a PCI DSS compliant third party - Your website delivers the script or iframe that contains the payment fields - Your web server could potentially affect the security of the transaction - You do not electronically store, process, or transmit cardholder data on your systems

Common Scenarios

SAQ A-EP typically applies to: - Websites using embedded JavaScript payment forms where cardholder data goes directly to the processor - Sites using iframes that contain the processor's payment page - E-commerce platforms using client-side tokenization

Requirements Covered

SAQ A-EP contains approximately 139 requirements, including: - Network security and segmentation controls - Secure development practices for the e-commerce application - Vulnerability management for internet-facing systems - Logging and monitoring for web servers

---

SAQ B: Imprint and Dial-Out Terminals

Who Qualifies

SAQ B applies to merchants using only imprint machines or standalone, dial-out terminals with no electronic cardholder data storage.

Key Eligibility Criteria

To qualify for SAQ B: - You use only standalone, dial-out terminals or imprint machines - Terminals connect via phone line only (not IP-connected) - No electronic cardholder data storage - No connection between terminals and other systems

Requirements Covered

SAQ B contains approximately 41 requirements focused on: - Physical security of terminals and cardholder data - Policies and procedures

---

SAQ B-IP: Standalone IP Terminals

Who Qualifies

SAQ B-IP applies to merchants using standalone, IP-connected PTS Point of Interaction (POI) devices for card-present transactions only.

Key Eligibility Criteria

To qualify for SAQ B-IP: - You use standalone PTS POI devices listed on the PCI SSC approved device list - Terminals are IP-connected (not dial-out) - Devices are isolated on their own network segment - No electronic cardholder data storage on any merchant systems

Requirements Covered

SAQ B-IP contains approximately 82 requirements including: - Network segmentation for terminal environment - Secure configuration of network devices - Physical security controls

---

SAQ C: Internet-Connected Payment Applications

Who Qualifies

SAQ C applies to merchants with payment application systems connected to the internet, typically point-of-sale systems with IP connectivity.

Key Eligibility Criteria

To qualify for SAQ C: - Payment application is on a device isolated from other systems - No electronic cardholder data storage after transaction completion - Payment application is the only application on the system - Systems do not connect to other internal network segments containing other sensitive data

Requirements Covered

SAQ C contains approximately 160 requirements covering: - Network security and segmentation - Secure configurations - Vulnerability management - Access controls - Monitoring and testing

---

SAQ C-VT: Web-Based Virtual Terminals

Who Qualifies

SAQ C-VT applies to merchants who manually enter single transactions via a virtual terminal on a web browser.

Key Eligibility Criteria

To qualify for SAQ C-VT: - You use only a web-based virtual terminal provided by a PCI DSS compliant third party - Virtual terminal is accessed via a web browser on an isolated device - No electronic cardholder data storage - No hardware terminal connections

Requirements Covered

SAQ C-VT contains approximately 79 requirements focused on: - Workstation security - Internet browser security - User access management - Physical security

---

SAQ P2PE: Validated Point-to-Point Encryption

Who Qualifies

SAQ P2PE applies to merchants using only PCI-validated Point-to-Point Encryption solutions where all account data is protected from the point of interaction.

Key Eligibility Criteria

To qualify for SAQ P2PE: - You use ONLY a validated PCI P2PE solution listed on the PCI SSC website - No electronic cardholder data storage outside the P2PE solution - The P2PE solution provider is responsible for the security of the cardholder data

Requirements Covered

SAQ P2PE contains approximately 33 requirements, the fewest of any SAQ for card-present transactions.

---

SAQ D: The Comprehensive Assessment

When SAQ D Applies

SAQ D is required when: - Your environment does not meet eligibility criteria for any other SAQ type - You store cardholder data electronically - You are a service provider not completing a formal ROC

Merchant vs Service Provider Versions

There are two versions of SAQ D: - SAQ D for Merchants: Contains all merchant-applicable requirements - SAQ D for Service Providers: Includes additional service provider-specific requirements

Requirements Covered

SAQ D contains all applicable PCI DSS requirements—over 250 questions covering all 12 requirement families.

---

Decision Framework: Choosing Your SAQ

Step 1: Determine Your Merchant Category

- Are you card-present, card-not-present, or both? - Do you accept e-commerce, MOTO, or in-person transactions?

Step 2: Map Your Payment Flow

- Where does cardholder data enter your environment? - Who handles the data at each step? - Where is data stored, even temporarily?

Step 3: Evaluate Third-Party Involvement

- Are all payment functions outsourced to validated providers? - Do you use validated P2PE solutions? - What payment devices or applications do you use?

Step 4: Verify Eligibility Criteria

- Review each potential SAQ's eligibility section - Confirm you meet ALL criteria, not just most - Document your eligibility determination

Step 5: Consult Your Acquiring Bank

- Your acquiring bank may have specific requirements - They can confirm which SAQ applies to your merchant agreement

---

Common SAQ Selection Mistakes

Mistake 1: Choosing the Shortest SAQ Without Verification

Organizations sometimes select SAQ A or P2PE assuming they qualify without carefully reviewing eligibility criteria. This leads to incomplete assessments and potential compliance gaps.

Mistake 2: Overlooking Iframe Implementations

Using iframes to embed payment pages hosted by processors typically requires SAQ A-EP, not SAQ A. The presence of your JavaScript code that could affect payment page security changes your eligibility.

Mistake 3: Ignoring Multi-Channel Scenarios

If you accept payments through multiple channels (e-commerce plus phone orders plus in-store), you may need multiple SAQs or may only qualify for SAQ D.

Mistake 4: Assuming POS System Isolation

Payment applications connected to networks that include other business systems often do not meet SAQ C isolation requirements.

---

Working with Your QSA or Acquiring Bank

While SAQs are self-assessments, consulting with a Qualified Security Assessor can help ensure correct SAQ selection. Your acquiring bank may also provide guidance based on your merchant agreement and transaction volume.

Key questions to discuss: - Which SAQ type applies to our specific environment? - Do we need multiple SAQs for different payment channels? - Are there any upcoming changes that might affect our eligibility?

---

Maintaining SAQ Eligibility

SAQ selection is not a one-time decision. Review your eligibility: - Annually as part of your compliance cycle - When changing payment processors or methods - When modifying your e-commerce platform - When adding new payment channels

Changes to your environment may change your SAQ eligibility, potentially requiring a different (and more comprehensive) questionnaire.

---

This guide provides general information about SAQ selection. Consult with your acquiring bank and a qualified assessor to confirm which SAQ applies to your specific environment.