PCI Compliance SAQ: 9 Types and Which One Is Right for You

What Is a PCI Self-Assessment Questionnaire (SAQ)? 

A PCI Self-Assessment Questionnaire (SAQ) is a form used by merchants and service providers who handle credit card data to assess and declare their compliance with the Payment Card Industry Data Security Standard (PCI DSS). The SAQ helps organizations identify gaps in security and ensure they meet industry standards to protect cardholder data. 

Depending on their card processing methods and the volume of transactions, organizations may be required to complete different versions of the SAQ. Successfully completing an SAQ demonstrates a company’s commitment to maintaining a secure payment environment.
Completing an SAQ involves answering a series of questions related to the security of cardholder data. The questions are designed to assess the organization’s adherence to the PCI DSS requirements, ranging from maintaining secure systems and protecting cardholder data to managing vulnerabilities and implementing strong access control measures.

Recommended Reading: What Is SIEM, Why Is It Important and 13 Key Capabilities.

Who Needs to Complete a PCI DSS Self-Assessment Questionnaire? 

SAQs are only applicable to smaller merchants, at PCI Level 3 and 4, with under 1 million transactions per year, and in some cases, at PCI Level 2, with 1-6 million transactions per year. For those merchants, SAQs are sufficient to achieve PCI compliance. Larger merchants must instead perform an external audit by a Qualified Security Assessor (QSA) and submit a full Report on Compliance (RoC).

However, all entities required to comply with PCI DSS standards could benefit from voluntarily filling out an SAQ, because it can help identify compliance gaps and improve their readiness, as preparation for an external audit and RoC.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you better leverage the PCI Self-Assessment Questionnaire (SAQ) process and optimize your overall PCI DSS compliance efforts:

Use automated compliance tools
Solutions like Exabeam Fusion SIEM can enhance visibility and streamline compliance. Automate log collection, monitoring, and reporting to ensure continuous compliance and faster incident response.

Map your cardholder data flow
Before selecting an SAQ, conduct a detailed data flow mapping exercise to identify how cardholder data enters, moves through, and exits your systems. This ensures you choose the correct SAQ type and highlights areas to secure.

Leverage tokenization and encryption
Consider implementing tokenization and end-to-end encryption to minimize PCI scope. These technologies reduce exposure and simplify compliance, making many SAQs easier to complete.

Engage with third-party providers early
If you rely on third-party payment processors or service providers, ensure they provide proof of their PCI DSS compliance (e.g., Attestation of Compliance). This documentation is crucial for SAQ A, A-EP, and related types.

Monitor scope creep continuously
Over time, new applications, systems, or business processes may inadvertently introduce cardholder data into areas previously out of scope. Regularly revisit your PCI environment boundaries.

The 9 Types of PCI SAQs and Applicability 

Here’s an overview of the different types of SAQs used to demonstrate PCI DSS compliance.

SAQ A

SAQ A applies to merchants who outsource all cardholder data functions to PCI DSS-compliant third-party service providers and do not electronically store, process, or transmit any cardholder data on their systems or premises. Typically, this involves eCommerce businesses that redirect customers to a third-party payment processor.

Merchants eligible for SAQ A must ensure their third-party providers maintain PCI DSS compliance, which reduces their exposure to cardholder data risks. Completing SAQ A involves attesting to not handling card data directly and relying on compliant providers for payment processing.

SAQ A-EP

SAQ A-EP is designed for eCommerce merchants who delegate all payment processing to PCI DSS-compliant third parties but use a website that could influence the security of the payment transaction, such as a payment page. These merchants do not handle credit card data directly but must ensure their digital environments do not compromise transaction security.

Eligibility for SAQ A-EP requires using web technologies that securely redirect or iframe customers to payment processors. Merchants completing SAQ A-EP must verify that their webpages are secure and do not introduce vulnerabilities into the payment process.

SAQ B

SAQ B is for merchants using standalone, dial-out terminals for card processing, with no electronic cardholder data storage. This SAQ is appropriate for businesses with simple card processing setups that do not involve Internet connectivity in the transaction process.

Merchants eligible for SAQ B focus on securing the physical environment around the terminal and ensuring the terminal itself is compliant with PCI standards. Responses in SAQ B revolve around physical security measures and isolated payment terminals.

SAQ B-IP

SAQ B-IP is intended for merchants utilizing standalone, IP-connected terminals that don’t store cardholder data electronically. Unlike SAQ B, these terminals connect to payment processors via the Internet, requiring additional security controls to protect transaction data.

Completing SAQ B-IP requires merchants to secure the network environment around IP-connected terminals, implement firewalls, and regularly update software to protect against vulnerabilities. The focus is on maintaining terminal and network security in Internet-enabled payment processing.

SAQ C

SAQ C targets merchants with payment application systems connected to the Internet, without storing cardholder data. This applies to businesses that have more complex payment systems compared to those using standalone terminals but still do not store data electronically.

Eligibility for SAQ C involves using payment software and having an Internet connection for transaction processing. Security measures focus on protecting the system from online threats, securing payment software, and ensuring safe Internet connectivity.

SAQ C-VT

SAQ C-VT is for merchants who manually enter cardholder data into an Internet-based virtual terminal solution provided by a third party without storing credit card data. This scenario often involves call centers or mail order businesses that process card payments manually.

Merchants completing SAQ C-VT must ensure their virtual terminal environment is secure, implement access controls to protect data, and regularly update antivirus software. SAQ C-VT emphasizes cybersecurity measures for environments where data is manually entered but not stored.

SAQ P2PE-HW

SAQ P2PE-HW applies to merchants using hardware payment terminals within a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. This significantly reduces the scope of PCI DSS requirements by encrypting data directly within the payment terminal.

Eligibility for SAQ P2PE-HW requires the use of approved P2PE hardware devices. Completing this SAQ involves attesting to the use of these devices and demonstrating compliance with P2PE instructions, focusing on secure handling and processing of transactions.

SAQ D for Merchants

SAQ D for Merchants is intended for those who store, process, or transmit cardholder data and do not fit into the categories for the other SAQ types. This is the most comprehensive SAQ, covering all PCI DSS requirements due to the increased risk associated with handling cardholder data directly.

Completing SAQ D for Merchants requires a thorough assessment of the organization’s payment processing environment, including network security, data protection measures, and access controls. It demands rigorous attention to detail and comprehensive security practices.

SAQ D for Service Providers

Similar to SAQ D for Merchants, but aimed at service providers, this SAQ addresses those entities that manage cardholder data on behalf of merchants. It covers services from hosting and payment processing to data storage.

Service providers completing SAQ D must demonstrate they meet all applicable PCI DSS requirements, focusing on protecting stored data, securing networks, and managing access controls. This SAQ ensures that service providers maintain a secure environment for their clients’ cardholder data.

What Is New in Version 3 of PCI SAQs?

Version 3 of the PCI DSS Self-Assessment Questionnaires (SAQs) introduces several key updates aimed at providing clearer guidance and simplifying the assessment process for organizations. The updates include:

• Updated format: The SAQs now feature a more intuitive format, including an “Expected Testing” column to describe the specific testing activities organizations should perform to assess each PCI DSS requirement. This aims to help entities more accurately determine compliance status.
• Response options: The previous “Special” column has been divided into two new columns: “Yes with CCW” (Compensating Control Worksheet) and “N/A” (Not Applicable), allowing for more precise responses to the PCI DSS requirements.
• Guidance and structure: The beginning of each SAQ now includes additional guidance on how to properly complete the questionnaire. Furthermore, the structure within the SAQ documents has been reorganized for better coherence, with Parts 3 and 4 of the Attestation of Compliance (AOC) now following the questionnaire section to ensure comprehensive attestations.

These changes were designed to enhance the clarity and utility of the SAQs, aiding organizations in their self-assessment process and ensuring a more accurate reflection of their compliance with PCI DSS standards.

How to Submit Your PCI DSS SAQ 

Once the appropriate SAQ is completed, it must be submitted along with any required validation documents to the merchant’s acquiring bank or payment brand, as directed. The process typically includes signing a self-assessment attestation form, which confirms the accuracy of responses and compliance status.

Organizations should consult with their acquiring bank or payment brand for specific submission instructions, as processes may vary.

How to Choose the Right SAQ 

To assist in choosing the right PCI Self-Assessment Questionnaire (SAQ), here’s a table that summarizes the types of SAQs, applicable merchant types, account data scope, and whether electronic account data storage is allowed.

PCI DSS Compliance with Exabeam Fusion SIEM

In the end, PCI DSS compliance is all about proving to auditors what you say you do — and Exabeam can help. While DLP, endpoint, vulnerability scanning, network, and identity vendors give you pieces of the puzzle, Exabeam Fusion SIEM helps you put it all together to see a full picture of attack, adding context and risk scoring to events and alerts to show an end-to-end PCI DSS compliance picture.  

Exabeam Fusion SIEM offers reports for your security teams on vulnerabilities discovered on PCI assets. This report looks at vulnerability scan details data produced by firewalls, routers, switches, and any other device that produces vulnerability data. Vulnerability scans of the cardholder data environment expose potential vulnerabilities in networks that could be found and exploited by malicious individuals. Organizations use this report to identify specific high and/or critical vulnerabilities on cardholder systems that need to be fixed.

Fusion SIEM also looks at credit card data, found in motion or at rest from IDS, IPS, and DLP systems to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices. Customers use this report to identify the source of the transmission so it can be further investigated and fixed. The cardholder data environment should be monitored for unauthorized egress transmission of credit card data using IDS, IPS, and DLP-based technologies. 

From credential anomaly and unusual activity or movement to credit card data access or transmissions, Exabeam offers a clear view of “normal” for any credentials, data movement, and activity, helping streamline your SOC workflow and responses in the event of a compromised or malicious insider as well as detecting lateral movement of malware or ransomware within your ecosystem.