Self-assessment is a core part of the PCI-DSS compliance process. Most companies seeking PCI certification need to complete self-assessment questionnaires. There are various types of questionnaires, and choosing the correct format is essential.

This article will explain how PCI-DSS self-assessment questionnaires work. We will provide helpful guidance about who needs to complete SAQs. We will also outline how to find the right SAQ for your organization.

Key takeaways

  • PCI-DSS Self-Assessment Questionnaires (SAQs) are an essential part of the PCI-DSS compliance process. They allow organizations to assess their security posture and show PCI compliance.
  • SAQs streamline compliance tasks. They replace in-person audits with documentary questionnaires. This makes complying with PCI rules easier and more cost-effective.
  • SAQs are generally required for PCI-DSS levels 2-4. This includes most e-commerce companies handling cardholder data. Larger organizations may require more complex assessments involving approved auditors.
  • Key factors to consider when choosing SAQs include the organization's payment transaction methods and how they handle credit card data. Different SAQ types apply scenarios like outsourced data processing or electronic storage.

If you are uncertain about which SAQ to use, seek assistance from a Qualified Security Assessor (QSA). QSAs assess payment systems and recommend appropriate compliance questionnaires.

What are PCI DSS Self-Assessment Questionnaires (SAQs)?

Self-Assessment Questionnaires are part of the auditing requirements under the Payment Card Industry Data Security Standards (PCI-DSS).

SAQs are written and provided by PCI. They contain a series of questions relating to data protection. When added together, these questions provide a detailed snapshot of an organization's security posture. This information determines whether the organization complies with PCI-DSS regulations.

Completing an SAQ can take a few hours but can also take weeks. Organizations must assess all aspects of electronic cardholder data storage. They must accurately document security controls for cardholder data. Any errors or inaccuracies can result in PCI violations.

Why are PCI DSS Self-Assessment Questionnaires necessary?

PCI-DSS SAQs play an important role in the PCI compliance process. They are designed to streamline compliance tasks.

Documentary questionnaires replace in-person audits in many situations. They reduce the time required to prove compliance, while self-assessment is also cheaper than bringing in external auditors. This makes it much easier for small businesses to comply with PCI rules.

Companies cannot complete the PCI process without providing evidence of compliance. The information provided on an SAQ shows that the organization protects cardholder data according to the 12 core PCI requirements.

Completing an SAQ has other benefits for e-commerce businesses that deal with electronic cardholder data storage. For instance, security teams can use the SAQ as a risk assessment tool. Self-assessment identifies points of weakness in cardholder data functions.

Security officers can address payment processing vulnerabilities as soon as they are identified. They can create policies to change default passwords or encrypt e-commerce channels. Security teams can fine-tune firewalls and access controls and ensure that all security measures meet PCI standards.

Who fills out the SAQ?

Not all regulated organizations need to fill out an SAQ under PCI-DSS requirements. Self-assessment questionnaires apply to companies at PCI-DSS levels 2-4. Larger organizations require more complex assessments featuring approved auditors.

PCI DSS transacation level

Accuracy is also critical. Some e-commerce merchants enlist external experts to complete or verify their SAQ. This is a more costly option but improves the integrity of the compliance procedure.


PCI DSS assessment chart


SAQ A forms are designed for merchants that have completely outsourced credit handling to a third-party payment processor. Merchants in this category do not directly handle payment data. The short questionnaire is solely intended to show that this is the case and that there is no need for security controls.


SAQ A-EP also refers to companies that have outsourced cardholder data processing. Companies in this category may maintain websites that influence the security of electronic cardholder data storage. But the merchant does not store cardholder data. Even so, it's necessary to prove that the website is secure and that systems do not expose credit data.


SAQ B is aimed at organizations that use dial-in point-of-sale or card imprint machines and do not store customer data. This covers brick-and-mortar retailers and is not relevant for most e-commerce companies.


As the name suggests, SAQ B-IP questionnaires relate to companies that use point-of-sale or imprint devices that communicate via an IP connection. Companies in this category do not store customer data on their systems.


SAQ C-VT assessments are aimed at companies that use virtual terminals to accept payments. This questionnaire only looks at the security of virtual terminals, and it is not usually relevant for e-commerce merchants.


SAQ C questionnaires cover organizations that accept payments via payment apps connected to the internet. Companies in this category accept payments but do not store cardholder information.


SAQ P2PE relates to companies that use devices secured by point-to-point encryption. Organizations in this category do not store any data after accepting transactions.

SAQ D for Merchants

SAQ D forms for merchants are the most common option for e-commerce companies. Organizations in this category maintain payment infrastructure with no outsourcing. They may store and process customer payment data via e-commerce channels. This SAQ requires in-depth reporting on how organizations protect cardholder data.

SAQ D for Service Providers

Service providers must complete a separate self-assessment questionnaire if they meet SAQ D criteria. This includes hosting services, payment gateways, and managed payment security service providers.

Which PCI DSS SAQ is right for your business?

PCI DSS eligibility criteria
  • The most important information to determine before filling out a self-assessment questionnaire is the type of payment transaction method(s) your organization uses. There are different forms for companies that use P2PE, virtual terminals, website portals, and imprint machines.
  • How an organization handles credit card data is also important. There are different questionnaires for e-commerce businesses that outsource data processing and electronic storage. Be careful when assessing this issue. If any devices or apps allow access to credit card data, you will need to fill out a comprehensive SAQ.
  • In some cases, organizations may need to choose between questionnaires for merchants and service providers. Assess your business classification and choose the right option.
  • When you are clear about payment methods and electronic storage systems, consult the list of SAQs above or visit the PCI website. Compare your systems with the different SAQ criteria. Find a self-assessment form that matches your credit handling setup.
  • If you have any doubts about which SAQ to choose, bringing in a Qualified Security Assessor (QSA) is advisable. A QSA will assess your payment systems and recommend which questionnaire to use.

Choosing the right PCI-DSS self-assessment questionnaire matters. SAQs prove compliance and provide a route to PCI certification for e-commerce companies. They also represent a chance to document security measures and improve data protection. This reduces the risk of data breaches and regulatory fines.