PCI DSS Self-Assessment Questionnaire

Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are not required to undergo a full on-site QSA assessment. The SAQ you complete depends on how you handle cardholder data. Selecting the right SAQ is critical — choosing the wrong one creates compliance gaps.

SAQ Types

SAQ A is for e-commerce or mail/telephone-order merchants that fully outsource cardholder data processing. If you use a payment provider like Stripe and never touch card data, SAQ A likely applies. It is the shortest SAQ with the fewest requirements.

SAQ A-EP is for e-commerce merchants whose website controls the payment page redirect but does not receive cardholder data. This is common for merchants using Stripe.js or similar client-side payment integrations.

SAQ B is for merchants using only imprint machines or standalone dial-out terminals with no electronic cardholder data storage.

SAQ C is for merchants with payment application systems connected to the internet but no electronic cardholder data storage.

SAQ C-VT is for merchants manually entering transactions via a virtual payment terminal on an isolated computer.

SAQ D is the full questionnaire for merchants that do not qualify for any other SAQ type, and for all service providers. It covers all 12 requirements and is significantly more comprehensive.

Choosing the Right SAQ

Map your payment flow carefully. Identify every point where cardholder data is present — on your website, in your network, in your systems. If in doubt, consult with your acquiring bank or a QSA. Using a simpler SAQ than your payment flow warrants creates real compliance risk.

Completion Tips

Answer honestly. Marking requirements as "in place" when they are not creates false assurance and liability. For any requirement not in place, document a remediation plan with a timeline. Submit the completed SAQ along with your Attestation of Compliance to your acquiring bank.

In the next lesson, we will cover network segmentation.