Self-Assessment Questionnaires

There are eight SAQ types under PCI DSS v4.0. Pick the one that matches how cards are accepted in your business, then download the official PDF from the PCI Security Standards Council.

SAQ A View PDF

Fully outsourced card processing

For merchants who outsource all cardholder data processing to PCI DSS-compliant third parties. No electronic storage, processing, or transmission of cardholder data on your systems. Any retained data must be on paper (e.g. receipts).

Applies to: E-commerce or mail/telephone order (MOTO) transactions where cards are not present.
Restrictions: Must fully outsource to validated providers; no electronic data handling. Shortest SAQ.

SAQ A-EP View PDF

E-commerce site that redirects to the processor

Similar to SAQ A, but for e-commerce where you control the redirection to the third-party processor (for example, your website hosts the initial data entry page). No electronic storage on your systems.

Applies to: E-commerce transactions only.
Restrictions: Outsourcing required except for the data ingestion page; no electronic data storage.

SAQ B View PDF

Imprint machines or dial-out terminals

For merchants using imprint machines or standalone dial-out terminals (connected via phone line to the processor). No electronic storage of cardholder data.

Applies to: Brick-and-mortar (card-present) or MOTO environments.
Restrictions: Limited to specific hardware; no internet-connected systems or electronic storage.

SAQ B-IP View PDF

Standalone IP-connected POI devices

For merchants using standalone, PIN Transaction Security (PTS)-approved point-of-interaction (POI) devices with an IP connection to the processor. No electronic storage.

Applies to: Brick-and-mortar or MOTO.
Restrictions: Devices must be PTS-approved and isolated; no other electronic data handling.

SAQ C View PDF

Internet-connected payment applications

For merchants with payment application systems (e.g. POS) connected to the internet, but no electronic storage of cardholder data.

Applies to: Brick-and-mortar or MOTO with internet-connected apps.
Restrictions: Systems must not store data electronically; requires segmentation from other networks.

SAQ C-VT View PDF

Hosted virtual terminal

For merchants using third-party virtual terminals on an isolated computing device (for example, manually keying single transactions). No electronic storage.

Applies to: Brick-and-mortar or MOTO with virtual terminals.
Restrictions: Device must be isolated; hosted by a validated provider; manual entry only.

SAQ P2PE View PDF

Validated P2PE solution

For merchants using validated Point-to-Point Encryption (P2PE) solutions (hardware-based) to encrypt data from entry through to processor. No electronic storage of unencrypted data.

Applies to: Brick-and-mortar or MOTO with P2PE terminals.
Restrictions: Solution must be PCI-listed and validated; significantly reduces scope.

SAQ D View PDF

Full questionnaire (catch-all)

The full questionnaire for merchants or service providers who don't qualify for any of the other SAQs. Covers all PCI DSS requirements; allows electronic storage if compliant.

Applies to: Any scenario not covered above, including custom setups or merchants storing card data electronically.
Restrictions: Catch-all option. Separate versions for merchants (SAQ D-Merchant) and service providers (SAQ D-Service Provider). The longest and most comprehensive SAQ.

2-minute quiz

Not sure which SAQ applies to you?

Answer a handful of quick questions about how your business handles cards and we'll point you straight at the right Self-Assessment Questionnaire — no signup, no email required.

Take the quiz

Free · ~2 minutes · Tailored recommendation

Preview of the PCIScan SAQ assessment quiz

Need help filling out the form?

SAQ assistance

We understand the PCI jargon and can make the process painless for you.

$145 USD · one-time

Let us help you to fill in the SAQ self-questionnaire form, which will take us approximately 3 hours. Once we finish you'll need to check over all the answers and sign that they are true and correct. After signing you simply email it to your payment gateway (or bank). If you store customer card info on your own machine, you'll also need to submit a passed ASV scan report if you wish to become compliant. This SAQ form needs to be re-lodged every 12 months.

GUARANTEE

If our tech team is unable to fully understand your server or deployment scenario (for example some sophisticated corporate instances) we refund the amount paid in full and recommend some more expensive consultants for your case. The absolute top technicians in the PCI field normally charge between $400 to $600 per hour.