PCI SAQ stands for Payment Card Industry Self-Assessment Questionnaire. Self-assessment is a requirement for merchants and service providers that do not need a full report on compliance.
The SAQ has two parts:
- A set of self-guided questions designed to assess your level of compliance
- An Attestation of Compliance (AoC), which requires you to attest that you’re both qualified to perform the SAQ and have done so.
The SAQ will require you to attest how your organization meets PCI DSS standards. With a series of yes or no questions, the SAQ will state each PCI requirement and the expected testing, then ask whether the control is:
- In place
- In place with a Compensating Control Worksheet or CCW*
- Not in place
- Not tested
Compensating controls are considered when an organization cannot meet a requirement exactly as stated (due to technical or business constraints) but has sufficiently mitigated the risk.
If you answer “no” to any of the questions, you’ll be required to explain what your plans are for remediating the gap and the expected timeline. You must meet each control to be compliant with PCI DSS.
PCI DSS SAQ types
There are 8 types of self-assessment questionnaires for merchants and service providers to prove their PCI DSS compliance. The three main types are:
SAQ A is for any e-commerce or mail/telephone order organization where payment cards are not present during the transaction. All cardholder data functions are outsourced to a third-party service provider, and no cardholder data is stored, processed, or transmitted on the merchant’s systems or premises.
SAQ A-EP is also for e-commerce merchants who outsource all payment processing to PCI DSS-compliant third parties. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. However, A-EP organizations do have websites that can impact the security of the payment transaction.
All merchants who don’t fit into one of the categories above, and all service providers who are eligible to complete an SAQ, will need an SAQ D.
Deciding which SAQ you need for compliance
Determining which type of SAQ you’ll need to complete mostly comes down to two factors: defining if you are a service provider or a merchant and how you process payments.
If you are a service provider, you will need to complete the SAQ D. If you are a merchant, there are a few items you will need to consider.
Below, we break down the main SAQ types to help you understand key differences and determine which one you qualify for.