PCI SAQ types: A comprehensive guide to PCI DSS self-assessment questionnaires

Oro provides content designed to educate and help audiences on their compliance journey.

Merchants and service providers must comply with PCI DSS standards, which secure cardholder data to demonstrate their payment security. Self-assessment questionnaires, otherwise known as SAQs, verify the necessary controls for protecting credit card details against fraud and theft. 

Guidance from the Payment Card Industry Council is essential when choosing an appropriate self-evaluation questionnaire relevant to accurately safeguarding customers’ financial transaction information. Merchants must fill out a suitable assessment questionnaire that meets all of these requirements to show proof of compliance.

Key takeaways

  • PCI SAQs are self-assessment questionnaires to demonstrate compliance with PCI DSS standards
  • Merchants and Service Providers must determine their business type, payment processing methods, and the appropriate questionnaire for their situation
  • Tools, like Thoropass, that can be used to automate and simplify the process of submitting documentation and ensuring ongoing compliance with PCI DSS requirements

Choosing the correct PCI DSS self-assessment questionnaire

There are distinct SAQ types tailored to specific payment processing methods and scenarios. We will look at each one in depth so that you can determine which works best for your business needs. 

SAQ A: E-commerce website (third party)


  • For: e-commerce merchants
  • Who process payments by: e-commerce website (direct post)
  • Number of questions: 191
  • Vulnerability scan (Y/N)? Yes
  • Penetration testing (Y/N)? Yes

For merchants that have delegated all cardholder data (CHD) functions to an external entity, SAQ A is available. Those entities include e-commerce stores, mail order companies, or telephone sales and must not store, process, and transmit the CHD on their systems or premises for this compliance to be met. 

Instead, their website redirects to or i-frames a third-party payment processor. The PCI DSS-compliant service provider can ensure secure handling of cardholder data and help fulfill conditions set by SAQ A criteria.

SAQ A-EP: E-commerce website (direct post)


  • For: e-commerce merchants
  • Who process payments by: e-commerce website (direct post)
  • Number of questions: 191
  • Vulnerability scan (Y/N)? Yes
  • Penetration testing (Y/N)? Yes

Similar to SAQ A, SAQ A-EP businesses are e-commerce (or online business) merchants that process payments through validated third-party providers and don’t store or transmit the data of the cardholder. However, their websites may impact the security of the payment transaction.

SAQ B: Imprint machine or dial-out terminal


  • For: Merchants (not e-commerce)
  • Who process payments by: Imprint machine or dial-out terminal
  • Number of questions: 41
  • Vulnerability scan (Y/N)? No
  • Penetration testing (Y/N)? No

SAQ B is tailored to merchants that use imprint machines or standalone dial-out terminals where electronic cardholder data is not stored. Imprint machines are manual devices used in credit card processing, which print the details of a customer’s credit card onto a sales slip for Steps in transaction handling. 

Standalone dial-out payment terminals require customers to enter their information prior to submitting the purchase amount. Then, they will connect over a phone line with the financial institution to complete payment processes securely and according to PCI DSS requirements specified within the SAQ B document itself.

SAQ B-IP: Standalone PTS-approved payment terminal


  • For: Merchants (not e-commerce)
  • Who process payments by: Standalone PTS-approved payment terminal
  • Number of questions: 82
  • Vulnerability scan (Y/N)? Yes
  • Penetration testing (Y/N)? No

SAQ B-IP applies to PTS-approved payment terminals that use an IP connection to connect with the payment processor without storing any electronic cardholder data. This means these standalone terminals must be certified by PCI SSC in accordance with the PIN Transaction Security standards for security requirements.

A stand-alone, internet-connected terminal is designed specifically for credit card payments and functions independently while being protected from regular telephone connections when processing transactions.

SAQ C-VT: Manual entry into a virtual terminal


  • For: Merchants (not e-commerce)
  • Who process payments by: Manual entry into a virtual terminal
  • Number of questions: 79
  • Vulnerability scan (Y/N)? No
  • Penetration testing (Y/N)? No

SAQ C-VT is designated for merchants who process card-not-present transactions using a virtual terminal solution provided by a PCI DSS-validated third-party service provider. 

The virtual terminal solution is web-browser-based access to an acquirer, processor, or third-party service provider website to manually enter payment card data for a single transaction at a time (no swipe device).

This type of SAQ applies to businesses that do not store, process, or transmit any cardholder data on their systems or premises but rely entirely on a third party to handle these functions.

Close up of a laptop and checklist
Recommended for you
The 12 requirements of PCI DSS: your compliance checklist

If you’re pursuing PCI DSS, it’s essential to understand the 12 requirements and what’s expected of your business.

Your PCI DSS compliance checklist: The 12 essential requirements icon-arrow-long

SAQ C: Internet-connected payment application system


  • For: Merchants (not e-commerce)
  • Who process payments by: Internet-connected payment application system
  • Number of questions: 160
  • Vulnerability scan (Y/N)? Yes
  • Penetration testing (Y/N)? No

SAQ C is intended for businesses that use internet-connected payment applications (e.g. virtual terminal, IP terminal, a mobile device with a card-processing application, or a swipe device) but do not store electronic cardholder data. 

Businesses engaging in processes related to transmitting and processing payments, like: 

  • Call center operations
  • Mail/telephone orders, or 
  • Web-hosted entries via an Internet connection

are likely to find this form most suitable for their purposes when it comes to handling electronic cardholder data transmission activities within their organization.

SAQ P2PE: Hardware-only payment terminals managed by P2PE


  • For: Merchants (not e-commerce)
  • Who process payments by: Hardware-only P2PE payment terminals
  • Number of questions: 33
  • Vulnerability scan (Y/N)? No
  • Penetration testing (Y/N)? No

Merchants that use approved Point-to-Point Encryption (P2PE) hardware devices, and do not store electronic card data, should use this questionnaire. 

SAQ D: All other categories & eligible Service Providers


  • For: Service Providers and Merchants who do not fall into other categories
  • Who: Store card data
  • Number of questions: 329
  • Vulnerability scan (Y/N)? Yes
  • Penetration testing (Y/N)? Yes

All merchants who don’t fit into any of the categories above, and all service providers who are eligible to complete an SAQ, will need an SAQ D.

This particular SAQ was made specifically for those merchants or service providers that store card data electronically..

Determining your business type

To choose the right SAQ, merchants and service providers need to ascertain their payment processing methods in line with the guidelines provided by PCI DSS. The mode of transaction can play a role in deciding which type of questionnaire should be chosen. 

Merchants vs Service Providers

While both merchants and service providers must adhere to PCI DSS standards, merchants are primarily engaged in selling goods or services and directly handle cardholder data, whereas service providers are external entities that provide services related to payment card transactions and may also handle cardholder data as part of their service.


  • A merchant is an entity that accepts payment cards (such as credit or debit cards) as a form of payment for goods or services
  • Merchants are directly involved in the sale of products or services to customers and handle cardholder data during transactions
  • They are required to comply with PCI DSS to ensure the secure handling and protection of cardholder data

Service Provider

  • A service provider is a third-party entity that is involved in the processing, storage, or transmission of cardholder data on behalf of a merchant.
  • Service providers can include entities like payment gateways, hosting providers, and companies that provide other services related to payment card transactions.
  • Service providers also need to comply with PCI DSS, and there are specific requirements outlined in the standard that they must meet to ensure the security of the cardholder data they handle.

Resources and support for PCI DSS compliance

To learn more about PCI DSS compliance, check out these useful posts:

  • PCI DSS compliance checklist: The 12 requirements
  • Consequences of non-compliance: Uncovering PCI DSS fines and penalties
  • Understanding PCI DSS encryption requirements in 2023

Foster trust through PCI DSS compliance with Thoropass

PCI Data Security Standards (PCI DSS) is required for any businesses that process, store, or transmit credit cards and is enforced by the Card Brands and Acquiring Banks. Thoropass streamlines and accelerates your certification by combining automation with self-assessment support and expert insights. Get certified faster with less work and headaches.

More FAQs

Self-Assessment Questionnaires (SAQs) have a variety of forms, such as A, A-EP, B, B-IP, C-VT, C, P2PE, and D. Each type has its own criteria to meet according to the merchant or service provider environment in which it is used for. Read more above to understand the differences between these SAQ types.

If you operate an online retail business that accepts credit card payments and stores customer information, you should consider completing PCI SAQ D. However, if your business operates solely online and all transactions are handled through a third-party processor, with no customer card data stored on your end, then PCI SAQ A or SAQ A-EP would be more appropriate. To better understand the appropriate SAQ type for your business, please read the full post above!

For businesses, there are four distinct PCI levels:

  • Level 1 is for organizations processing more than 6 million transactions per annum 
  • Level 2 for those dealing with between 1 and 6 million operations a year
  • Level 3 is applicable to firms managing 20,000 to one million activities annually
  • Level 4 covers entities conducting fewer than twenty thousand yearly

When it comes to PCI SAQ requirements, businesses should consider what type of services they offer in order to determine if they are a merchant or service provider. If goods and products make up the majority of their offering, then most likely they will be considered as merchants. If managing payment information for customers is part of the business activities, then more than likely this company would be regarded as a service provider.

Share this post with your network: