Are You Doing the Right PCI Self-Assessment Questionnaire?

Part of establishing PCI compliance and maintaining it year in and year out is filling out an annual PCI self-assessment questionnaire (SAQ). These questionnaires are designed to accomplish two goals: to help businesses identify weaknesses that need to be dealt with and to help prove to institutions that a company is compliant. But not all companies handle credit cards in the same way, so PCI has put together nine different versions of the SAQ. The difference in length and complexity between the shortest and longest versions is extreme – 22 questions versus 329. As a result, it’s important that companies select the proper SAQ for self-assessments because choosing poorly could result in under-analysis, or alternately, a lot of unnecessary work. Below is a quick review of each SAQ version to help with proper selection. 

1) SAQ A

SAQ A is the shortest option and is for businesses that process card-not-present transactions like eCommerce, mail-order sales, or phone sales, and outsource all cardholder data handling, processing, transmission, and storage. 


This option is for eCommerce-only merchants that utilize a third-party processor for their card transactions, but whose websites could none the less impact transaction security in some way even though no processing, transmission, or storage of cardholder data is handled by the merchant. 

3) SAQ B

SAQ B applies to merchants that handle payments only in non-electronic ways, like physical imprint machines or dial-out payment terminals. These payment methods are already considered archaic, so this SAQ option will apply to very few merchants. 


SAQ B-IP applies to merchants using stand-alone terminals that are pin-transaction security (PTS) approved and interface with the payment processor via an IP connection. Merchants utilizing this SAQ can’t handle any electronic payment data storage themselves. 

5) SAQ C

SAQ C applies to all merchants that have an internet-connected payment system, but who only handle payment transmissions and do not store any cardholder data themselves. This SAQ applies to a wide range of eCommerce merchants. 


The VT version of SAQ C applies to merchants utilizing a virtual terminal installed on a single device or computer that is used only for credit card payment processing and nothing else. As with version C, no data storage is permitted for merchants using this SAQ.


P2PE stands for point-to-point encryption, a security standard established by PCI to heighten security and deter tampering. Merchants who use P2PE systems but do not store any cardholder data are eligible to use SAQ P2PE. 

8) SAQ D – Merchants

This is the longest SAQ, as it is for merchants who handle all of their credit card payment processing themselves with no outsourced help or P2PE systems and store cardholder data. That puts these merchants in the highest risk category and requires them to analyze their compliance needs more deeply. 

9) SAQ D – Service Providers

This version of SAQ D is specifically for service providers, as opposed to merchants, that accept electronic credit card payments and, as such, are also required to meet PCI compliance standards. 


There are a wide variety of considerations that go into choosing an SAQ, and, unsurprisingly, many merchants find themselves unsure of which of the nine options to choose. Getting it wrong could be costly, so it’s important that merchants select the right self-assessment, and BAMS is here to help. The BAMS team helps all of our merchants achieve and maintain PCI compliance by offering an expert guiding hand during the process. To find out more about how BAMS can help your company navigate PCI compliance and choose the right self-assessment questionnaire.