This guide is also used by ValPay to assign the correct PCI Product Code in Aperia.
Why PCI SAQs Matter
Every business that accepts credit card payments must complete a PCI SAQ each year.
The correct SAQ depends entirely on how the merchant accepts payments and whether they store or handle cardholder data.
Choosing the correct SAQ ensures:
Reduced compliance scope
Accurate security requirements
Faster onboarding
Avoiding unnecessary PCI fees or audits
SAQ Types Explained (In Simple Terms)
Below is an overview of each SAQ type in plain language.
SAQ A — Fully Outsourced Online Payments
For merchants who only take online or phone/mail payments and never handle card data directly.
✔ Uses hosted payment pages, redirect checkout, iFrames
✔ No in-person card machines
✔ No card data ever touches their systems
In simple terms:
The payment provider handles everything. The merchant’s website never sees card numbers.
SAQ A-EP — E-commerce Sites That Influence Checkout Security
For merchants who take online payments only, but whose website loads scripts or content that impacts the security of the payment page.
✔ They don’t receive card data
✔ Their website still affects the payment environment
In simple terms:
The merchant doesn’t touch card data, but their website influences the checkout.
SAQ B — Imprinters or Dial-Up Terminals Only
For merchants using:
✔ Imprinters
✔ Stand-alone dial-up terminals (telephone line)
✔ No card data storage
✔ No internet-connected devices
In simple terms:
Old-style machines only — no online or modern terminals.
SAQ B-IP — Standalone IP-Connected Terminals
For merchants using only standalone countertop payment terminals (no POS integration).
✔ No e-commerce
✔ No card data storage
✔ Hardware is PCI-approved and isolated
In simple terms:
A simple card terminal that is not connected to any software.
SAQ C-VT — Virtual Terminal Only
For merchants who hand-key card numbers into a secure web-based virtual terminal.
✔ One device per user
✔ No stored card data
✔ Browser-based system
In simple terms:
The merchant types card numbers into a webpage manually.
SAQ C — POS or Software-Integrated Terminals
For merchants whose software or POS system connects to the payment processor.
✔ System connects to the internet
✔ No stored card data
✔ Semi-integrated or fully integrated terminals
In simple terms:
Their point-of-sale system talks directly to the payment processor.
SAQ P2PE — Validated P2PE Terminal Solutions
Only for merchants using PCI-listed P2PE devices.
✔ Card data is encrypted immediately
✔ No access to card data
In simple terms:
Terminals encrypt everything from the moment the card is tapped/swiped.
(Note: Not all terminal providers qualify as P2PE.)
SAQ SPoC — Mobile Device + Secure Card Reader
For merchants taking payments on:
✔ A smartphone or tablet
✔ A secure SPoC-approved card reader
In simple terms:
A mobile checkout with a secure card reader attached.
SAQ D — For Everyone Else
If a merchant does not clearly fit into the categories above, they will complete SAQ D.
✔ Merchants who store or handle card data
✔ Complex POS environments
✔ Multi-system infrastructures
In simple terms:
If nothing else fits, the merchant is SAQ D.
How Partners Can Determine the Right SAQ (Quick Checklist)
Use the questions below to guide merchants and identify their SAQ type.
1. Does the merchant store, process, or transmit card data?
Yes → SAQ D
No → Continue
2. How does the merchant accept in-person card payments?
Standalone countertop terminal → SAQ B-IP
POS system integrated with terminals → SAQ C
Mobile device + secure reader → SAQ SPoC
Manual imprinter or dial-up → SAQ B
No in-person payments → Continue
3. How does the merchant accept online payments?
Hosted payment page / Redirect / iFrame → SAQ A
Custom website loading scripts or forms → SAQ A-EP
API or software integration with card data → SAQ D
4. Does the merchant key in payments manually?
Yes → SAQ C-VT
No → Continue
5. None of the above apply?
→ The merchant is SAQ D