PCI SAQ: Which Self-Assessment Questionnaire Do You Need?

Introduction

Determining which Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) applies to your business is a critical first step in achieving pci compliance. This guide will walk you through identifying the correct SAQ for your organization, understanding its requirements, and preparing for successful completion.

By following this guide, you’ll accomplish:

• Accurate identification of your applicable SAQ type
• Clear understanding of your compliance scope
• Proper documentation of your payment card processing methods
• Preparation for completing your self-assessment

This matters because selecting the wrong SAQ can lead to non-compliance, potential fines, and increased security risks. The right SAQ ensures you’re meeting appropriate security standards without unnecessary complexity or cost.

Prerequisites:

• Basic understanding of your payment processing methods
• Access to your payment system architecture
• Authority to gather information about card data flows
• Knowledge of your merchant account details

Before You Start

What You Need

Before determining your SAQ type, gather the following essential information:

Payment Processing Documentation:

• Merchant account statements
• Payment gateway contracts
• Point-of-sale (POS) system specifications
• E-commerce platform details
• Any third-party payment processor agreements

Technical Infrastructure Details:

• Network diagrams showing payment data flows
• List of all systems that process, store, or transmit card data
• Integration documentation for payment systems
• Security controls currently in place

Business Operations Information:

• Annual transaction volume
• Types of payment channels (in-person, online, phone, mail)
• Physical locations accepting payments
• Employee roles handling card data

Information to Gather

Create a comprehensive inventory of your payment acceptance methods:

• Card-Present Transactions:

– Terminal types and models
– Connection methods (dial-up, IP, cellular)
– Integration with other systems

• Card-Not-Present Transactions:

– E-commerce platforms
– Virtual terminals
– Phone order systems
– Mail order processes

• Data Storage Practices:

– Whether you store card data electronically
– Paper storage of card information
– Retention periods and destruction methods

Stakeholders to Involve

Engage these key stakeholders early in the process:

• IT Department: For technical infrastructure details
• Finance Team: For transaction volumes and merchant accounts
• Operations Manager: For business process information
• Legal/Compliance Officer: For regulatory requirements
• Third-Party Vendors: For integration and service details

Step-by-Step Process

Step 1: Identify Your Merchant Level

Determine your merchant level based on annual transaction volume:

• Level 1: Over 6 million transactions annually
• Level 2: 1-6 million transactions annually
• Level 3: 20,000-1 million transactions annually
• Level 4: Less than 20,000 transactions annually

Tip: Count all card brand transactions (Visa, Mastercard, etc.) together. Your acquiring bank can provide exact numbers.

Step 2: Map Your Payment Channels

Document every method you use to accept payments:

• Physical Locations: Retail stores, kiosks, mobile sales
• E-commerce: Website, mobile apps, online marketplaces
• MOTO (Mail Order/Telephone Order): Call centers, mail-in forms
• Recurring Billing: Subscription services, membership fees

Warning: Don’t overlook any payment channel, even if rarely used. A single overlooked method can invalidate your compliance.

Step 3: Analyze Card Data Flow

Trace how card data moves through your systems:

• Entry Point: Where card data first enters your environment
• Processing: Systems that handle authorization and settlement
• Storage: Any locations where card data is retained
• Transmission: How data moves between systems

Create a simple flowchart showing each step from card presentation to settlement.

Step 4: Evaluate Third-Party Services

Identify all third-party payment services:

• Payment gateways (Stripe, PayPal, Square)
• Shopping cart providers
• Payment processing companies
• Tokenization services

Important: Obtain AOC (Attestation of Compliance) documentation from each service provider.

Step 5: Determine Your SAQ Type

Based on your payment methods and data handling, select the appropriate SAQ:

SAQ A:

• E-commerce only
• Fully outsourced payment processing
• No electronic storage of card data
• Redirect or iframe to third-party payment page

SAQ A-EP:

• E-commerce only
• Partial outsourcing
• Website creates payment form but doesn’t process
• No electronic storage of card data

SAQ B:

• Imprint machines or standalone terminals only
• No electronic card data storage
• Terminals not connected to other systems

SAQ B-IP:

• Standalone IP-connected payment terminals
• No electronic cardholder data storage
• Terminals not connected to merchant systems

SAQ C:

• Payment application systems connected to internet
• Not eligible for other SAQ types
• Includes most integrated POS systems

SAQ D:

• All other merchants
• Any electronic storage of card data
• Service providers

Step 6: Validate Your Selection

Confirm your SAQ choice:

• Review the eligibility criteria in detail
• Consult with your acquiring bank
• Consider edge cases and exceptions
• Document your reasoning

Pro Tip: When in doubt between two SAQ types, consult with a QSA (Qualified Security Assessor) to avoid compliance gaps.

Step 7: Prepare for Assessment

Once you’ve identified your SAQ:

• Download the current version from the PCI SSC website
• Review all requirements
• Create a project plan for addressing gaps
• Assign responsibilities to team members
• Set realistic timelines

Best Practices

Industry Standards

Follow these proven approaches for SAQ selection and completion:

Documentation Excellence:

• Maintain detailed records of your decision process
• Create network diagrams before starting
• Document all payment acceptance methods
• Keep vendor compliance certificates current

Scope Reduction Strategies:

• Implement tokenization where possible
• Use P2PE (Point-to-Point Encryption) solutions
• Outsource payment pages to compliant providers
• Segment payment systems from other networks

Regular Review Process:

• Reassess SAQ applicability annually
• Update when adding new payment channels
• Review after system changes
• Monitor for SAQ version updates

Expert Recommendations

Start Conservative: If you’re between two SAQ types, start with the more comprehensive one. It’s easier to scale down than to discover gaps later.

Vendor Management: Maintain a compliance matrix for all payment-related vendors, including their PCI compliance status and expiration dates.

Change Control: Implement processes to evaluate PCI impact before making system changes.

Pro Tips

• Use SAQ Eligibility Tools: Many acquiring banks offer online tools to help determine your SAQ type
• Consider Future Growth: Select an SAQ that accommodates planned business expansion
• Leverage Compensating Controls: Where you can’t meet a specific requirement, document alternative security measures
• Maintain Evidence: Keep screenshots, configuration files, and policies that demonstrate compliance

Common Mistakes

What to Avoid

Underestimating Scope:

• Forgetting about manual card entry systems
• Overlooking backup payment methods
• Ignoring paper-based card data

Incorrect Assumptions:

• Assuming cloud services automatically mean SAQ A
• Believing tokenization eliminates all PCI requirements
• Thinking small transaction volumes mean no compliance needed

Documentation Failures:

• Not maintaining current network diagrams
• Failing to document payment processes
• Skipping evidence collection during assessment

Troubleshooting

Common Issues and Solutions:

• “My payment setup doesn’t fit any SAQ”

– Solution: You likely need SAQ D or should consult a QSA

• “Multiple SAQs seem to apply”

– Solution: Use the most comprehensive applicable SAQ

• “My processor says I don’t need PCI compliance”

– Solution: This is rarely true; verify with your acquiring bank

When to Seek Help

Contact a qualified professional when:

• Your payment environment is complex
• You process over 1 million transactions annually
• You store card data electronically
• Multiple payment channels are involved
• You’re unsure about technical requirements

Verification

How to Confirm Success

Validate your SAQ selection and preparation:

• Cross-Reference Check:

– Compare your setup against SAQ eligibility criteria
– Verify with multiple sources (bank, processor, PCI SSC)
– Document any ambiguities

• Stakeholder Confirmation:

– Get written confirmation from your acquiring bank
– Ensure all stakeholders agree with the selection
– Document the decision process

Testing Approaches

Pre-Assessment Testing:

• Complete a draft SAQ internally
• Identify gaps before official submission
• Test security controls mentioned in requirements
• Verify all compensating controls work effectively

Validation Methods:

• Network vulnerability scans (if required)
• Security control testing
• Policy and procedure reviews
• Employee security awareness verification

Documentation

Maintain these essential documents:

• Completed SAQ with all relevant sections
• Network diagrams showing card data flow
• Policies and procedures referenced in SAQ
• Evidence of security controls implementation
• Vendor compliance certificates
• Training records for staff handling card data

FAQ

Q: How often do I need to complete a PCI SAQ?
A: PCI SAQs must be completed annually. However, you should reassess your SAQ type whenever you make significant changes to your payment processing methods or if your transaction volume changes your merchant level.

Q: Can I use different SAQs for different parts of my business?
A: Generally, no. Your entire organization typically falls under one SAQ type based on your highest-risk payment channel. However, completely separate legal entities with distinct payment processing may each complete their appropriate SAQ.

Q: What happens if I choose the wrong SAQ?
A: Selecting an incorrect SAQ can result in non-compliance, leaving you vulnerable to fines, increased transaction fees, and potential loss of card acceptance privileges. If discovered, you’ll need to complete the correct SAQ and may face additional scrutiny.

Q: Do I need to hire a QSA to complete an SAQ?
A: Most merchants completing SAQs don’t require a QSA. However, Level 1 merchants and service providers typically need a QSA assessment. Smaller merchants may benefit from QSA consultation for complex environments.

Q: If I only use third-party payment processors, am I exempt from PCI compliance?
A: No, you’re not exempt. However, you may qualify for SAQ A or SAQ A-EP, which have significantly fewer requirements. You’re still responsible for ensuring your integration maintains security and that your providers are PCI compliant.

Conclusion

Selecting the correct PCI SAQ is fundamental to achieving and maintaining payment card security compliance. By following this systematic approach, you’ll accurately identify your requirements, avoid common pitfalls, and establish a solid foundation for your PCI compliance program.

Remember that PCI compliance is not a one-time event but an ongoing commitment to protecting cardholder data. Regular reviews, updates when your business changes, and continuous security improvements are essential for maintaining compliance and protecting your customers’ sensitive information.

Ready to streamline your PCI compliance journey? SecureSystems.com provides practical, affordable compliance guidance tailored for startups, SMBs, and agile teams. Our expert team of security analysts, compliance officers, and ethical hackers understands the unique challenges you face. We deliver quick action, clear direction, and results that matter—without the enterprise-level complexity or cost. Whether you’re in e-commerce, fintech, healthcare, SaaS, or the public sector, we’ll help you achieve PCI compliance efficiently and effectively. Contact us today to Get started with confidence.