What is an SAQ for PCI Compliance?

Home  »  Blog  »  Cyber Security  »  What is...

By Bill Minahan   |   May 20, 2020   |   0 Comments

SAQs for PCI Compliance

An SAQ is a merchant’s statement of PCI compliance. A PCI self-assessment questionnaire (PCI SAQ) is a self-validation tool to assess security for cardholder data.

An SAQ is a way to prove you are taking the security measures needed to keep cardholder data safe and meeting compliance regulations.

The PCI SAQ is made up of a series of yes-or-no questions for each PCI data security requirement.  Furthermore, each SAQ includes a list of security standards that businesses must review and follow to meet PCI compliance.

How long are SAQs for PCI Compliance?

PCI SAQs vary in length depending on the different needs and environments of each merchant required to meet PCI compliance. For instance, PCI SAQ A is the shortest with just 22 questions. In contrast, SAQ D is the longest with 329 questions.

There are two components to the PCI SAQ:

  1. A series of questions corresponding to whichever PCI SAQ template you must take for PCI compliance.
  2. A certification of compliance that states you are eligible to perform and have performed the appropriate SAQ.

Which SAQ are you required to take?

There are 9 different SAQs a merchant can take to meet compliance. Your SAQ depends on how you process credit cards and store cardholder data. For instance, if you sell all your products online and process cardholder data from a trusted third-party, then you are most likely eligible for SAQ A or SAQ A-EP. In contrast, if you have a store that processes credit cards through the internet, or if you store cardholder data, then you are likely required to take SAQ D.

Specifically, there are 9 different types of SAQs for PCI compliance. In order to determine which category your organization falls under, use the list provided below:


Card-not-present merchants ( e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that does not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s system or premises.


Merchants using only:

Imprint machines with no electronic cardholder data storage; and/or

Standalone, dial-out terminals with no electronic data storage


Merchants using only standalone PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.


Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.


Merchants with payment application systems connected to the internet, no electronic cardholder data storage.


Merchants using only hardware payment terminals that are included and managed via a validated, PCI SSC-listed P2PE solution, with no electronic data storage.

SAQ-D for merchants

All merchants not included in the descriptions for the above SAQ types.

SAQ-D for service providers

All service providers defined by a payment brand as eligible to complete an SAQ.
If you have any questions about which SAQ your company needs to take, then please contact us.

Why are SAQs required for PCI Compliance?

SAQs prove to auditors and customers that you are compliant with PCI requirements. However, compliance is only one half of it. SAQs also prove your handling sensitive data securely and care about security best practices.

In most cases, merchant processors and paying customers do not want to work with businesses that do not take data security seriously. Therefore, they use PCI SAQ as proof of the competence of your security.

PCI Compliance & SAQs

If you have an upcoming PCI audit deadline and need help with compliance or determining which SAQ is right for your business, then please contact one of our compliance and security experts for a quote.

Contact Us

Our compliance experts work as an extension of your team, no matter how big or small your business is. As a result, we help make sure you are PCI compliant and audit-ready.

PCI DSS Compliance Assessment Tool

If you are looking to gauge your PCI compliance strength, then please use our free tool to gain actionable insights into your PCI compliance.

Our tool covers all 12 PCI DSS compliance requirements. Furthermore, it delivers your results in seconds.

Take Assessment

If you have any questions regarding the PCI DSS assessment tool, SAQs, or compliance issues, then please contact us.

Otherwise, you can call us directly at 855-459-6600.

Furthermore, if you are looking for more information on PCI DSS compliance, then you can find it here.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.