We are open & providing remote audit and compliance services during this national emergency.
Learn more about our Virtual Auditing Services during Covid 19

New White Paper: “The Complete Guide to Enterprise Risk Management” DOWNLOAD NOW
Listen to: "PCI DSS SAQ Types: Which Type Is Right for Your Business?"

Choosing the Right PCI-DSS Self-Assessment Questionnaire

All merchants and service providers who either store, process, or transmit payment card information are required to be Compliant with the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance aside, protecting your customers’ payment card information is imperative for customer retention and brand protection.

But understanding the requirement to comply with PCI is only part of the battle. What do you need to do next? The answer to that question depends on several factors. The volume of payment cards you store, process, or transmit. Card brands have set volume thresholds that may allow you to self-assess. If your organization is above the volume thresholds, you may not self-assess and must have a report on compliance (ROC) conducted by a Qualified Security Assessor (QSA).

If you are under the SAQ transaction volume threshold, you must then select the SAQ that is appropriate to your organization.


How does your organization store, process, or transmit payment card data? The PCI Council has created nine self-assessment questionnaires (SAQs) that are tailored to payment card transaction channels. Selecting the appropriate PCI Self-Assessment Questionnaire is an important step in complying. The PCI Council provides guidance on selecting the appropriate SAQ, however even with the guidance provided, many organizations struggle with selecting the correct SAQ.

PCI DSS SAQ TypeEligibility CriteriaNo. of Questions
SAQ AFor e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.24
SAQ A-EPFor e-commerce-only merchants that rely on third-party service providers to handle card information and which have a website that doesn’t process credit card data, but could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.192
SAQ BFor merchants which utilize imprint machines and/or standalone, dial-out terminals, and do not transmit, process, or store electronic cardholder data. This is not for e-commerce activities.41
SAQ B-IPFor merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data. This is not for e-commerce activities.87
SAQ C-VTFor merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.161
SAQ CFor any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.84
SAQ P2PEFor merchants which utilize approved point-to-point encryption (P2PE) devices, with no electronic cardholder data storage.34
SAQ D for MerchantsFor all SAQ-eligible merchants which don’t meet the criteria for other types. For merchants which do not outsource their credit card processing or use a P2PE solution, and may store credit card data electronically.328
SAQ D for Service ProvidersFor service providers deemed eligible to complete an SAQ.370

Which PCI DSS SAQ Is Right for Your Organization?

If you are ready to start delving into the PCI DSS compliance process, but feel the need for some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are ready to assist you in identifying the SAQ best suited to your company.

Call us today at 215-675-1400 or request a quote to start the conversation.

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal