• Saturday, 18 July 2026
Self-Assessment Questionnaires (SAQs): Which One Is Right for Your Business?

Self-Assessment Questionnaires (SAQs): Which One Is Right for Your Business?

If your business handles credit card payments, you’re likely familiar with the term PCI DSS. It stands for Payment Card Industry Data Security Standard, and it outlines how businesses must protect cardholder data. One important part of maintaining PCI compliance is filling out a Self-Assessment Questionnaire, or SAQ. SAQs are tools that help businesses verify that they are following security requirements. There isn’t just one standard SAQ. In fact, there are several PCI SAQ types, each designed for a different type of business. Choosing the right one can seem confusing at first, but it becomes easier when you understand how they are structured.

Why SAQs Matter for Merchants

SAQs are designed to make PCI DSS more manageable for businesses, especially small and medium sized ones. Instead of requiring every merchant to go through a full external audit, the SAQ is a simpler way to prove compliance. But it’s not just a formality. Filling out the SAQ truthfully and correctly is key. The SAQ asks you to confirm your business follows specific data security practices. If you check “Yes” for a question, you’re saying your business complies. If you check “No” you’re saying your business needs to take action. In some cases this means implementing new technology or updating policies.

Not completing your SAQ or doing so incorrectly can have serious consequences. It can result in fines from your payment processor, increased fees or even losing the ability to accept card payments. That’s why understanding this process and choosing the right SAQ is so important. In short the SAQ is both a protection and a responsibility. It ensures you meet security expectations and shows your customers their data is in good hands.

Overview of the Different PCI SAQ Types

The PCI Security Standards Council has defined several PCI SAQ types, each designed for a specific type of merchant or service provider. These SAQs are named SAQ A through SAQ D (and some variations in between). They vary in length, detail, and the level of technical requirements.

Here is a brief overview:

  • SAQ A is for merchants who outsource all payment processing to third-party providers and do not store, process, or transmit any cardholder data.
  • SAQ A-EP is for e-commerce merchants who use third-party services but still manage part of the payment process.
  • SAQ B is for merchants who use standalone dial-out terminals with no internet connection.
  • SAQ B-IP is similar but applies to merchants with IP-connected terminals.
  • SAQ C is for merchants who have payment systems connected to the internet but no data storage.
  • SAQ C-VT is for merchants who use virtual payment terminals with no card data storage.
  • SAQ D is the most detailed and is required for merchants that do not qualify for the simpler SAQs or store cardholder data.

Each of these SAQs is tailored to a specific setup, which is why understanding your payment environment is essential before selecting the right form.

How to Choose the Right SAQ for Your Business

So how do you choose the right SAQ? It all starts with how you process credit card payments. Are you using a third party e-commerce platform? Do you have card terminals that connect to the internet? Do you store any cardholder data?

The answers to these questions will lead you to the correct PCI SAQ. For example if you’re using a hosted checkout page provided by a third party and you don’t store any data, you’ll probably fall under SAQ A. But if your website collects payment details before passing them to a third party processor, you may need SAQ A-EP.

A merchant SAQ guide provided by your payment processor or the PCI Security Standards Council will help you figure out where your business fits. Take the time to review this carefully. Choosing the wrong SAQ can result in non-compliance even if your intentions are good. If you’re unsure, it’s always best to consult with a PCI DSS expert or your payment processor. They can help ensure your business is aligned with the correct PCI DSS for different merchants and that you’re filling out the right form.

SAQ A and SAQ A-EP: For E-Commerce Businesses

Many online businesses use third-party services to handle payments. In these cases, SAQ A or SAQ A-EP may apply. SAQ A is for merchants who have fully outsourced the payment processing and have no access to card data. Think of a retailer that sends customers to PayPal or Stripe for checkout.

SAQ A is the simplest and shortest of all the PCI SAQ types. It has fewer requirements because the risk is lower. Since the business never touches the card data, the compliance burden is smaller. SAQ A-EP is more complex and applies when merchants use a third party but still play a role in loading or managing payment elements on their site. If your website hosts the payment page or loads scripts that collect payment information, even if the transaction is sent to a third party, you fall under SAQ A-EP.

Both require you to follow best practices in managing your website and third-party services. While SAQ A may seem “easier,” it’s only valid if you truly have no access to cardholder data. Misclassifying yourself can put your business at risk.

SAQ B and B-IP: For Terminal-Based Merchants

If your business uses simple countertop terminals, you may qualify for SAQ B or SAQ B-IP. SAQ B applies to merchants who use standalone dial-out terminals that connect via phone line and do not store cardholder data. SAQ B-IP is similar but for terminals that use an internet connection. This includes IP-based terminals that are configured securely and do not transmit data through a computer or store card information. These terminals often use encryption and connect directly to the payment processor.

Both types are common in retail shops, small service businesses, and quick-service restaurants. They offer straightforward compliance requirements because the environment is limited and controlled. That said, PCI DSS for different merchants means even these simpler systems require proper security controls. SAQ B-IP, in particular, may require you to ensure your internet connection is segmented, firewalls are in place, and that firmware is kept updated.

If your terminal is connected through a computer or if your system stores any card data, these SAQs are not the right fit. Always verify your setup matches the outlined criteria before completing the form.

SAQ C and C-VT: For Internet-Connected Merchants

SAQ C and SAQ C-VT apply to merchants who use internet-connected systems to process card payments but don’t store cardholder data. These are typically businesses that use a computer or tablet-based setup with virtual terminals or POS software. SAQ C is intended for merchants who have payment applications connected to the internet, such as POS software installed on a computer. These systems must be configured to isolate payment functions from the rest of the network, and strong controls must be in place to prevent unauthorized access.

SAQ C-VT is for merchants who use web-based virtual terminals to manually enter card information. This is common in call centers or service-based businesses that process payments over the phone or by email. The system used must not store card data and must access the virtual terminal through a single-purpose device.

Both SAQs come with more requirements than SAQ B or A. That includes firewall configurations, system monitoring, antivirus protection, and access controls. Following a merchant SAQ guide will help ensure these conditions are met. Choosing between SAQ C and C-VT depends on your software setup, how payments are entered, and how your systems are managed.

SAQ D: For Businesses That Don’t Fit Elsewhere

SAQ D is the most comprehensive of all the PCI SAQ types. It applies to any merchant that does not qualify for the other forms. This includes businesses that:

  • Store cardholder data
  • Process payments through complex networks
  • Have systems that interact with card data beyond the payment terminal

SAQ D has over 300 individual requirements and is essentially a scaled-down version of a full PCI DSS audit. Businesses completing this SAQ must have strong internal policies, detailed documentation, and technical safeguards across all systems. This SAQ is most commonly used by large organizations or businesses with in-house payment platforms, legacy systems, or custom integrations. It’s also required for service providers.

While SAQ D is the most demanding, it’s necessary for businesses with elevated risk. Trying to fit into a simpler SAQ type to reduce workload can backfire if your setup doesn’t match the eligibility criteria. Using SAQ D correctly is a critical part of maintaining trust and fulfilling the obligations outlined in PCI DSS for different merchants.

SAQs

Best Practices for Completing Your SAQ

Filling out your SAQ isn’t just about checking boxes; it’s about understanding and validating your compliance status. Here are some best practices to follow:

  • Read the eligibility criteria carefully for your chosen SAQ
  • Document your payment flows and systems
  • Make sure your answers are truthful and complete
  • If answering “No” to any requirement, include a plan for remediation
  • Work with your payment processor or security advisor if you’re unsure

Following a merchant SAQ guide can help break down the technical language and make the process less intimidating. Take your time to understand what each question is asking and how your business addresses it. Completing the SAQ accurately gives your business protection in the event of a data breach. It shows that you made a good-faith effort to comply and were aware of your responsibilities. That alone can reduce potential penalties and build stronger relationships with payment partners.

Common Mistakes Businesses Make with SAQs

One of the biggest mistakes merchants make is choosing the wrong SAQ. This happens when businesses don’t fully understand their payment environment or think using a third party provider removes all their responsibility. Another mistake is checking “Yes” to every question without verifying if the requirement is actually met. This creates a false sense of security and can lead to non-compliance. If your business is audited or breached, these unchecked assumptions will become major liabilities.

Not updating SAQs annually is another issue. PCI DSS requires SAQs to be completed every year, or more often if your environment changes. For example, if you change processors, add new terminals or update your website, your SAQ requirements will change too. Relying solely on IT staff without involving management is also a problem. Compliance is a business wide responsibility not just a technical one. Management needs to understand how policies and practices impact risk and compliance. Avoiding these mistakes requires awareness, planning and commitment to doing it right.

When Your Business Model Changes: Re-Evaluating Your SAQ Type

Businesses evolve over time. You may launch a new website, introduce mobile payment options, or move from in-person to remote billing. When these shifts occur, your PCI SAQ classification might also need to change. A common oversight is continuing to use the same SAQ year after year without reassessing whether it still matches your setup.

For example, a merchant that originally qualified for SAQ B with a standalone terminal may later adopt a cloud-based POS that connects to the internet. This would require switching to SAQ C or even SAQ D, depending on how the system is configured. Similarly, an online merchant moving from a hosted checkout page to an integrated payment form might no longer qualify for SAQ A and would need to adopt SAQ A-EP.

This re-evaluation isn’t just good practice; it’s part of staying compliant with PCI DSS for different merchants. Your payment processor may audit or question your SAQ classification, especially after technical changes. Reviewing your setup annually, or whenever significant changes occur, helps ensure your business is accurately protected. Use a merchant SAQ guide to cross-check eligibility before your next renewal. Staying proactive prevents mistakes and demonstrates your commitment to secure payment processing.

Working with Third-Party Vendors and Service Providers

Many businesses use third party vendors for services like web hosting, payment processing and POS systems. While outsourcing can simplify things, it doesn’t eliminate your PCI DSS responsibilities for different merchants. In fact, working with external providers adds new compliance requirements.

You must ensure any third party handling cardholder data is PCI DSS compliant. That means reviewing their Attestation of Compliance and knowing exactly what part of the transaction flow they control. Even if you never touch the data yourself, you’re responsible for choosing compliant partners and documenting that relationship in your SAQ.

For example, if you use a third party e-commerce platform that loads payment forms on your site, you may need to complete SAQ A-EP instead of SAQ A. That small difference has big technical and policy implications. To be safe, review your vendor list regularly and ask for up to date proof of compliance. Make sure contracts define data security responsibilities. A merchant SAQ guide can help you determine what controls need to stay in-house and what can be outsourced.

Final Thoughts

Self-Assessment Questionnaires are a key part of PCI DSS compliance. They help businesses of all sizes understand their responsibilities and demonstrate their commitment to secure card processing. But to be effective, they must be completed accurately and matched to the right business type. From SAQ A for e-commerce retailers to SAQ D for complex setups, the range of PCI SAQ types is designed to fit different payment environments. By using a reliable merchant SAQ guide, you can avoid confusion, reduce risk, and meet the standards required under PCI DSS for different merchants.

Taking the time to choose the right SAQ and answer it honestly is one of the smartest moves a business can make. It’s not just about checking a compliance box; it’s about protecting your customers, your business, and your reputation.