Choosing the Right PCI SAQ for Your Business: A Practical Guide

Organisations that fall outside of Levels 1of the PCI DSS (Payment Card Industry Data Security Standard) can attest to compliance with an SAQ (self-assessment questionnaire).

You will fall into one of those levels if your organisation processes fewer than six million card transactions per year.

There are several types of questionnaire, and in this blog we help you understand which one is right for you.

What is a PCI SAQ?

Organisations that are subject to the PCI DSS must demonstrate that they have taken appropriate steps to secure the payment card data that they hold.

There are two ways to do this: with a PCI SAQ or an RoC (report on compliance). Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own requirements, so they establish the eligibility criteria for SAQ or RoC.

The PCI SAQ is the less rigorous method and is typically used for organisations that process fewer than six million transactions annually.

Once it’s completed, the PCI SAQ is signed off by an officer of the merchant or service provider, validating the organisation’s compliance practices.

PCI SAQ types

There are several types of PCI SAQ that apply in certain circumstances. It’s essential that organisations choose the correct assessment. They are as follows:


For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants. 

It applies where: 

  • The merchant’s website is hosted and managed by a PCI-compliant third-party payment processor; or 
  • The merchant’s website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor. 

Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.


For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor. 

It applies where: 

  • The merchant’s website creates a payment form and “direct posts” payment data to a PCI-compliant third-party payment processor; or 
  • The merchant’s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website. 


For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal. 

Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant. 

Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchant’s standalone dial-out terminal must be connected to a phone line and nothing else. 


For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.


For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function. 


For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet. 

To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data. 


For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale. 

There are separate forms for merchants and service providers. 


For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce. 

Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW. 

Identify the right SAQ with IT Governance

Hopefully you’ve now identified which SAQ applies to you, but how do you go about completing the form?

That’s where our PCI DSS Documentation Toolkit can help. It contains all the template documents you need to ensure complete coverage of your PCI DSS requirements.

All you need do is fill in the sections that are relevant to your organisation.

The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.

No Responses