Guide: Which PCI DSS Is Right for You?
If your business handles payment card data, PCI DSS compliance is mandatory. This guide breaks down each SAQ type to help you determine the one that fits your setup—whether you use payment terminals, virtual terminals, or e-commerce platforms.
Updated December 3, 2025
What's Your Organization's PCI Compliance Level?
If your business handles credit card data—whether processing, storing, or transmitting it—you are required to comply with PCI DSS.
This global standard, established by the major credit card brands, ensures the secure handling of cardholder information. Compliance is mandatory.
To effectively implement and maintain PCI compliance, it's crucial to understand merchant levels and determine which Self-Assessment Questionnaire (SAQ) best fits your organization.
» Take the first step towards PCI DSS compliance: Reach out to our experts
What Is a Merchant?
A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa] as payment for goods and/or services.
What Is a Service Provider?
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data
Not all businesses handle payment card data the same way. To simplify compliance while ensuring security. PCI DSS provides two reporting frameworks:
- Report on Compliance (ROC): For businesses processing high volumes of transactions, requiring a full audit by a Qualified Security Assessor (QSA).
- Self-Assessment Questionnaires (SAQs): For businesses with lower volume/risk exposure, allowing them to self-assess compliance based on how they handle card data.
» Learn more: What are QSAs and why are they important for your business?
Not all merchants and service providers store, process, or transmit cardholder data the same way. PCI DSS provides different SAQ types to match different business models and risk levels:
SAQA
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Not applicable to face-to-face channels.
SAQ AEP
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels.
» Find out how you can build a robust PCI DSS security strategy
SAQ B
Merchants using only:
- Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage
Not applicable to e-commerce channels.
SAQ B-IP, C-VT and C
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ P2PE-HW
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ D
- Merchants: All merchants not included in descriptions above SAQ types.
- Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.
» Know which PCI DSS path fits your business—so you can avoid these PCI DSS pitfalls
GRSee Can Help You
Unsure which PCI DSS SAQ applies? GRSee can help you find the best fit to keep your data safe.
Report on Compliance
Organizations that process over 6 million transactions annually (Merchant) or 300,000 transactions annually (Service Provider) must complete both an annual Report on Compliance and an Attestation of Compliance.
» Ready to begin? Contact us to learn more about our startup and enterprise PCI DSS services
