• Blog
  • PCI DSS Self-Assessment Questionnaires: Choosing the Right Type

Blog

PCI DSS Self-Assessment Questionnaires: Choosing the Right Type

If you process credit card payments, you need to prioritize security. One way to guarantee this safety is by complying with Payment Card Industry (PCI) Data Security Standards (DSS).

The PCI Security Standards Council (SSC) set these standards to protect customer data against fraudulent activity and identity theft. Within the PCI DSS, there are dozens of security controls to meet, depending on how your business handles credit card data. 

To maintain PCI compliance, businesses—referred to as merchants—need to complete an annual PCI validation form. If you’re a smaller business that processes less than 6 million transactions every year, you can complete a PCI DSS Self-Assessment Questionnaire (SAQ) to confirm compliance and streamline the auditing process. 

What Is a PCI DSS SAQ?

The PCI DSS SAQ is a tool that merchants and any related service providers (such as payment gateways or data hosting providers) can use to assess and report their PCI DSS compliance. An SAQ has two main parts: the SAQ and an Attestation of Compliance (AoC), which summarizes the SAQ for stakeholders or partners. 

There are eight types of PCI DSS SAQ, which we’ll explain below. The best one for your business depends on the cardholder data environment (CDE), which is how you handle credit card data and how much your business processes. 

Regardless of the type you complete, a PCI SAQ has three sections:

  • Section 1: Share basic assessment information (including company information), the cardholder environment, and SAQ type. 
  • Section 2: This is the bulk of the questionnaire, where your organization answers a series of yes/no questions to detail its compliance and information security efforts. 
  • Section 3: This final section on validation and attestation details walks through any necessary fixes to meet compliance.

Who Needs to Complete a PCI SAQ?

Any business that stores, processes, or transfers credit card information must adhere to PCI DSS compliance requirements. But the volume of transactions an organization processes impacts how strict its compliance obligations are. The more data you handle, the more security you need because the stakes are higher if your system gets compromised. 

If you’re a merchant and process under 6 million annual card transactions, you’re eligible for PCI DSS SAQ. For service providers, that threshold is much lower. Any business under 300,000 yearly card transactions is eligible.

If your business surpasses either of these numbers, you aren’t eligible to complete the SAQ. Instead, you have to conduct a Report on Compliance (RoC), which is more thorough and requires a PCI DSS audit from a third-party evaluator.

The PCI also breaks compliance thresholds down into levels. Here’s a quick guide to the four PCI DSS compliance levels for merchants: 

  • Level 1 includes merchants that process more than 6 million annual transactions. If your business has ever experienced a data breach, it’s also considered a Level 1, regardless of size.
  • Level 2 covers merchants that process 1–6 million annual transactions.
  • Level 3 includes merchants that process between 20,000 and 1 million online annual transactions.
  • Level 4 is for smaller merchants that process less than 20,000 online transactions annually. 

Service providers belong to only two levels: Level 1 processes over 300,000 transactions, and Level 2 processes under 300,000. Only Level 2 service providers can complete the SAQ. 

Reach out to your financial team for guidance if you have questions about your eligibility to submit an SAQ or whether you need to complete an RoC instead.

Types of PCI DSS SAQs

There are eight types of PCI DSS self-assessment, and you can find them all on the PCI DSS website. Here’s a quick guide to each one and which might be best for you:

1. SAQ A 


PCI DSS SAQ A applies to merchants that only process payments without the card present, like ecommerce or phone order merchants, and outsource payment processing activities to a third-party vendor. For a business to qualify for an SAQ A, it must not store, process, or transmit account data on its own systems. 

2. SAQ A-EP 


Similar to the PCI DSS SAQ A, this self-assessment questionnaire encompasses ecommerce merchants that partially outsource payment processing activities but transmit the cardholder data themselves. The merchant still doesn’t store or process cardholder information directly. 

3. SAQ B


Businesses within the PCI SAQ B process account data solely with the assistance of standalone terminals and imprint machines. This usually means the retailer is a brick-and-mortar merchant and doesn’t conduct ecommerce sales. 

4. SAQ B-IP


Merchants that leverage Payment Terminal Security (PTS) Point of Interaction (POI) devices, which connect via IP to transmit account information to the payment processor, fall into this category. This scenario often applies to brick-and-mortar stores or telephone order shops, similar to the requirements outlined in SAQ B. It still doesn’t apply to ecommerce channels and merchants that store card data. 

5. SAQ C


For a merchant to be SAQ C, it must have payment systems connected to the Internet, meaning it processes credit card information by brick-and-mortar point-of-sale (POS) systems or over the phone without a card present. The card data goes straight to the service provider through the processor and isn’t stored. 

6. SAQ C-VT


The SAQ C-VT shares a main commonality with the SAQ C—it’s for businesses that connect to the Internet for account information processing. But these merchants use a third-party virtual payment terminal option on an isolated computer that connects to the Internet. This is only typical for brick-and-mortar or phone-order businesses. 

7. SAQ P2PE 


If you use a validated PCI-listed point-to-point encryption (P2PE) option for processing account data, you should complete an SAQ P2PE. The P2PE method encrypts cardholder data at the point of interaction and keeps it secure until it reaches the payment processor. The merchant doesn’t have the ability to decrypt the payment information. 

8. SAQ D


SAQ D has two subtypes: SAQ D for Merchants and SAQ D for Service Providers. Any merchant that doesn’t meet the criteria above should complete the SAQ D, as should every service provider. Eligible merchants and providers include those that accept and store cardholder data online or in person. 

Which PCI DSS SAQ Is Right for You?

The PCI SSC offers instructions and guidelines to help businesses determine which category they fall into. 

As a service provider, determining which PCI assessment you’re eligible for is easy—there’s only one option (SAQ D). But for merchants, there’s a lot more that goes into deciphering which SAQ you must complete. Here’s a flowchart from the SSC to help you determine what applies to your environment: 

Image Credit: PCI SSC 

Achieve PCI DSS Compliance With Legit Security 

To prevent non-compliance, you need a partner. Legit Security quickly and easily provides the real-time evidence you need to complete self-assessments, without painful manual work. Legit further helps you align your security guardrails to PCI DSS requirements and then continuously monitor for and alert on any policy violations.

Schedule a demo to learn how you can use Legit Security to streamline PCI DSS compliance.

Share this guide

Published on
October 29, 2024

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.