PCI SAQ Types: Which Self-Assessment Questionnaire Do You Need?
Your SAQ type is the single biggest factor affecting PCI compliance cost. SAQ A requires validating just 22 controls and costs as little as $50 per year. SAQ D requires 251 or more controls and can cost $5,000 to $20,000 or more annually. This tool helps you identify which SAQ applies to your business.
SAQ Type Finder
InteractiveDo you store, process, or transmit cardholder data on your own systems?
All SAQ Types at a Glance
PCI DSS 4.0.1 defines nine Self-Assessment Questionnaire types. Each is designed for a specific payment acceptance environment. The table below shows the control count, target audience, typical cost, and annual effort for each type. The difference between SAQ A (22 controls) and SAQ D (251 controls) represents a 90 percent reduction in compliance work.
| SAQ Type | Controls | Who It Is For | Typical Cost | Annual Effort |
|---|---|---|---|---|
| SAQ A | 22 | Fully outsourced e-commerce (redirect or iframe) | $50 - $500 | 1-2 days |
| SAQ A-EP | 139 | E-commerce with website elements affecting payment security | $2,000 - $10,000 | 2-4 weeks |
| SAQ B | 38 | Imprint machines or standalone dial-out terminals | $200 - $1,000 | 2-5 days |
| SAQ B-IP | 80 | IP-connected standalone payment terminals | $500 - $3,000 | 1-2 weeks |
| SAQ C | 124 | Payment application systems connected to the internet | $1,000 - $5,000 | 2-4 weeks |
| SAQ C-VT | 79 | Virtual terminal (web-based, one transaction at a time) | $500 - $2,000 | 1-2 weeks |
| SAQ D (Merchant) | 251 | All other merchants not qualifying for SAQ A through C-VT | $5,000 - $20,000 | 4-16 weeks |
| SAQ D (Service Provider) | 269 | Service providers eligible to complete an SAQ | $10,000 - $50,000 | 8-24 weeks |
| SAQ P2PE | 33 | Merchants using a validated P2PE solution | $200 - $1,000 | 2-5 days |
Detailed SAQ Type Guide
SAQ A
Fully outsourced e-commerce (redirect or iframe)
Eligibility
Card-not-present merchants who fully outsource all payment processing to PCI DSS validated third parties. No electronic cardholder data storage, processing, or transmission on your systems.
What This Means
The simplest and cheapest SAQ. If you use a hosted payment page (like Stripe Checkout, PayPal, or Shopify Payments) where customers are redirected or use an iframe, you likely qualify for SAQ A. Your website never directly handles card numbers.
Common Mistake
Assuming you qualify when your website includes JavaScript that could intercept card data before it reaches the payment provider. If your site loads scripts on the payment page, you may need SAQ A-EP instead.
SAQ A-EP
E-commerce with website elements affecting payment security
Eligibility
E-commerce merchants who partially outsource payment processing but whose website can impact the security of the payment transaction (e.g., embedded payment forms via JavaScript/API).
What This Means
Required when your website includes elements that could affect payment security, even though card data is submitted directly to the payment processor. Common with Stripe Elements, Braintree hosted fields, or similar embedded payment forms.
Common Mistake
Not realising that PCI DSS 4.0.1 Requirement 6.4.3 (payment page script management) now applies to SAQ A-EP merchants, adding significant new compliance overhead.
SAQ B
Imprint machines or standalone dial-out terminals
Eligibility
Merchants using only imprint machines or standalone dial-out terminals that are not connected to the internet or any other systems.
What This Means
For merchants using old-fashioned card imprint machines or standalone terminals that connect via phone line only. These terminals have no IP connectivity and no electronic cardholder data storage.
Common Mistake
Using this SAQ when terminals have any network connectivity. Even a terminal that connects to Wi-Fi for updates may disqualify you from SAQ B.
SAQ B-IP
IP-connected standalone payment terminals
Eligibility
Merchants using standalone, PTS-approved payment terminals with IP connectivity for payment processing. No electronic cardholder data storage.
What This Means
The modern version of SAQ B for standalone payment terminals that connect via IP (Ethernet or Wi-Fi) rather than phone line. The terminal handles all card data - your POS system never sees card numbers.
Common Mistake
Not properly segmenting the payment terminal network from the rest of the business network. IP-connected terminals require more controls than dial-out terminals.
SAQ C
Payment application systems connected to the internet
Eligibility
Merchants with payment application systems (POS software) connected to the internet. No electronic cardholder data storage. Single store location or single payment channel.
What This Means
For merchants whose POS system or payment application processes card data and connects to the internet. This is common for retail stores using integrated POS systems that process cards through software rather than standalone terminals.
Common Mistake
Multi-location merchants trying to use SAQ C when they should use SAQ D. SAQ C is designed for single-location or single-channel payment environments.
SAQ C-VT
Virtual terminal (web-based, one transaction at a time)
Eligibility
Merchants who process cardholder data only via a virtual terminal on an isolated computer connected to the internet. Manual entry only, one transaction at a time. No electronic cardholder data storage.
What This Means
For merchants who take card payments by manually entering card numbers into a web-based virtual terminal provided by their processor. Common for mail-order/telephone-order (MOTO) businesses and small service providers.
Common Mistake
Using the virtual terminal on a computer that is also used for general internet browsing, email, or other business functions. The computer must be isolated or dedicated.
SAQ D (Merchant)
All other merchants not qualifying for SAQ A through C-VT
Eligibility
Any merchant that stores cardholder data electronically, processes card data on their own servers, or does not meet the criteria for any other SAQ type. This is the catch-all SAQ.
What This Means
The most comprehensive and expensive SAQ. If you store card numbers in your database, process payments through your own server-side code, or do not fit any other SAQ category, you need SAQ D. It covers nearly all PCI DSS requirements.
Common Mistake
Remaining on SAQ D when scope reduction (tokenisation, hosted payment pages) could move you to SAQ A or A-EP, cutting compliance effort by 80-90%.
SAQ D (Service Provider)
Service providers eligible to complete an SAQ
Eligibility
Service providers that handle fewer than 300,000 card transactions per year and are eligible to report compliance via SAQ rather than a full ROC.
What This Means
For payment service providers, hosting companies, and other third parties that handle cardholder data on behalf of merchants. More controls than the merchant version of SAQ D because service providers must also facilitate their clients' compliance.
Common Mistake
Underestimating the additional service provider-specific requirements, including penetration testing, change detection, and additional access control requirements.
SAQ P2PE
Merchants using a validated P2PE solution
Eligibility
Merchants using a PCI-validated Point-to-Point Encryption (P2PE) solution listed on the PCI SSC website. All payment processing through validated P2PE devices. No electronic cardholder data storage.
What This Means
The simplest SAQ for card-present merchants. If you use a PCI-validated P2PE solution, card data is encrypted at the terminal and only decrypted by the payment processor. Your systems never see readable card data.
Common Mistake
Assuming any encrypted terminal qualifies. The P2PE solution must be specifically listed on the PCI SSC validated solutions list. Many 'encrypted' terminals are not P2PE-validated.
How SAQ Type Affects Total PCI Compliance Cost
Your SAQ type is the single biggest cost lever most businesses can pull. The difference between SAQ A and SAQ D is not just the number of controls. It affects assessment cost, required security tools, penetration testing requirements, ongoing monitoring needs, and staff effort. Here is a comparison of total annual compliance cost by SAQ type for a typical Level 4 merchant.
SAQ A Merchant
$50 - $500/year
- 22 controls to validate
- 1 to 2 days of annual effort
- No penetration test required
- Minimal or no ASV scanning needed
- No SIEM or continuous monitoring
- DIY-friendly for technical staff
SAQ D Merchant
$5,000 - $20,000/year
- 251+ controls to validate
- 4 to 16 weeks of annual effort
- Annual penetration test required ($5K - $50K)
- Quarterly ASV scanning required ($400 - $2K/year)
- SIEM or log monitoring needed ($5K - $100K/year)
- Consultant assistance usually needed
If you are currently on SAQ D, switching to a hosted payment page or tokenised payment integration could move you to SAQ A, reducing compliance costs by up to 90%. See our scope reduction guide for implementation strategies and cost-benefit analysis.