If you accept card payments, you're required to show that you handle cardholder data securely. For most businesses, that means completing a PCI DSS Self-Assessment Questionnaire, or SAQ — a checklist you complete yourself (rather than a full onsite audit) that matches the way you actually take payments. There are nine SAQ types, and which one applies to you depends entirely on how card data moves through your business, not on your size or how much you process.
A quick note before you dig in
You're the one confirming which SAQ fits your business, and your acquirer or payment processor has the final say — they may ask you to complete a specific one, or have additional requirements on top. If you're ever unsure, reach out to us and we can help you work through it.
The nine SAQ types, in plain language
SAQ A — you take card-not-present payments (online or phone/mail order) and you've fully handed off payment processing to a compliant third party. You never see or touch card data yourself, not even electronically.
SAQ A-EP — you run an e-commerce site and use a compliant processor, but your own website builds the payment form or loads a script that affects the checkout page, even though it never receives the card data directly.
SAQ B — you take payments only through an imprint machine (the old manual card-swipe) and/or a standalone terminal that dials out over a phone line. Nothing gets stored electronically.
SAQ B-IP — similar to SAQ B, but your standalone terminal connects over the internet (IP) instead of a phone line.
SAQ C — you run POS or payment software connected to the internet at a single store location, isolated on its own network, with no electronic storage of card data.
SAQ C-VT — you manually type card numbers into a web-based virtual terminal hosted by your processor, from a device that's isolated from everything else — no card reader attached, no local payment software.
SAQ D — the catch-all. If your setup doesn't match any of the others (you store card data, your website receives it directly, you run multiple locations on a shared network), this is where you land. It covers the full set of PCI DSS requirements.
SAQ P2PE — you process every transaction through a validated, PCI-listed point-to-point encryption solution, so card data is encrypted the instant it's entered and your systems never see it in clear text.
SAQ SPoC — new for PCI DSS v4.0. You take in-person payments using a PCI-listed card reader paired with a regular phone or tablet, as part of a validated SPoC solution. This one's for attended, in-person transactions only — not phone/mail order or online sales.
The fastest way to narrow it down
Ask yourself three questions: how do you take payments (in person, by phone/mail, or online)? Does any part of your own systems ever touch card data electronically, even briefly? And if you sell online, does any part of your checkout page come from your own website, or is it entirely hosted/redirected by your processor? Those three answers rule out most of the wrong options fast.
If you take payments more than one way
If you run, say, an online store and a retail counter, you may need to complete a separate SAQ for each channel. Your acquirer can tell you whether they want them submitted separately or combined.
One more thing worth knowing
If you're renewing this year and it's been a while since your last self-assessment, don't assume the same SAQ letter still applies — the eligibility rules changed for several SAQ types when PCI DSS moved from v3.2.1 to v4.0. It's worth reconfirming rather than defaulting to what you used last time.
Still not sure which one fits? Reach out to our support team and we'll help you figure it out.
