Shop Services

What is a PCI-DSS SAQ?

by Mike Ricotta - May 5, 2025

In the most general sense, the PCI-DSS SAQ is a Self-Assessment Questionnaire required by the PCI Security Council for entities handling card data. PCI-DSS is a security framework created and governed by the PCI Security Standards Council. It is required of organizations in business with banks and card brands (and some states) for the secure use, transmission, and storage of customer payment card information (PCI) such as PAN (personal account number) and SAD (sensitive account data). Generally PCI-DSS is enforced by a banking entity on any organization passing card data to that bank for payment facilitation/settlement. This typically includes payment processors, gateways, and any merchant passing raw/plaintext card data through their network. A PCI-DSS ROC is issued by a qualified security assessor (QSA), through the authorization of the PCI-DSS board, upon auditing your network to verify that your network is compliant with these security standards. However, organizations who do not perform these actions or perhaps only perform a fraction of these actions may only be required to perform a self assessment known as a SAQ, of which there are varying degrees of compliance (SAQ-A, SAQ-D, etc). The level of effort for a SAQ AOC (attestation of compliance) is generally lower than a PCI-DSS ROC and may not require a QSA to complete. Not sure which is for you? We can provide free guidance. Regardless of whether you’re performing a PCI-DSS ROC or SAQ AOC, we can help!

Which SAQ is right for me?

  • SAQ A:A SAQ A is where all payment processing is outsourced, you never handle any card data. This is the simplest method and it is roughly 30 questions (as opposed to PCI-DSS for a ROC which is 700+). Generally this is for ecommerce/mail/telephone orders where no electronic storage, processing, or transmission takes place, all payments are on an offsite buy page, and no card readers are used.
  • SAQ A-EP:This is a SAQ A but where you may be involved in some level of security like passing card data through embedded forms.
  • SAQ B:This is not for ecommerce environments, there is no electronic data transmitted and the merchants use imprint machines or dial-out terminals. This isn’t common.
  • SAQ B-IP:This is a SAQ B where a PTS-approved payment terminal is used with an IP connection directly to the processor.
  • SAQ C / C-VT:This is for merchants with a virtual terminal (VT) or payment applications that have internet connectivity (C) but no electronic data storage and no ecommerce.
  • SAQ P2PE:This is for merchants using point-to-point encryption with no electronic data storage.
  • SAQ D / SAQ D for Service Providers:This is the most common SAQ and it’s basically all encompassing. In this situation, the merchant may store card data electronically, do not outsource processing, do not use a P2PE solution, but do not need a PCI-DSS ROC.
  • SAQ SPoC:This is for merchants who’ve opted to implement the controls in the SPoC instructions providers by their SPoC Solution Provider.
Avatar photo

About The Author:
Mike Ricotta

Mike is a veteran of Madison Avenue digital media, with over a decade of professional experience. As an expert in digital media, Mike has been a partner in founding several web and apps products, has built 3 international development teams through acquisition, and appeared on media networks and publications such as CNBC, Fox Business, Bloomberg, Business Insider, and CIO Magazine, among others. More information on Mike may be found on his personal website: https://www.michaelricotta.com/