How to Accurately Complete a PCI DSS SAQ for Compliance Success

Navigating the PCI DSS requirements can feel overwhelming, but it's a vital part of protecting your customers’ sensitive payment information. The Self-Assessment Questionnaire (SAQ) is a tool designed to help you validate your compliance. It provides a structured way to assess your security controls and confirm that you're meeting the necessary standards.

By completing the SAQ correctly, you're not only fulfilling a requirement but also strengthening your overall security posture. In this blog, we'll explain how to properly fill out your PCI compliance questionnaire.

» Take the first step towards PCI DSS compliance: Reach out to our experts

PCI DSS: SAQ Explained

For businesses without dedicated compliance or security staff, interpreting PCI DSS requirements is difficult. Even with shorter forms like SAQ A, it’s easy to misjudge scope and miss critical obligations. Smaller organizations also struggle with limited time, budget, and staff to apply the required controls. On top of that, the SAQ must be completed exactly as written; there’s no flexibility to tailor requirements to fit your unique setup.

» Discover how to succeed with PCI DSS compliance

PCI Self-Assessment Questionnaires for SMBs

Small and mid-sized businesses (SMBs) often complete a PCI Self-Assessment Questionnaire (SAQ) instead of a full audit if they process fewer transactions and outsource cardholder data handling to PCI-compliant providers.

The rationale is risk-based; merchants with fewer transactions and limited exposure to cardholder data assume lower risk and complexity, making a full audit unnecessary. Merchant levels 2, 3, and 4, which process fewer than 6 million transactions annually, commonly use SAQs tailored to their setup, while large, Level 1 merchants must undergo full audits.

» Do you work in Fintech? Consider PCI-DSS as a baseline

Three Steps to Confirm SAQ Eligibility

1. Contact your acquiring bank/payment brands for the level and SAQ type.
2. Map cardholder data flows to define your CDE and outsourced processes.
3. Review specific SAQ eligibility criteria for an exact match.

» Learn more: What is good compliance, and how to get started?

Simplify Your PCI Compliance

The path to compliance requires expert guidance. Let GRSee's team help you through the process.

Talk to Us

SAQ Types: Differences in Use and Complexity

The various SAQ types differ significantly in their applicability and complexity, reflecting the different ways merchants handle cardholder data.

• SAQ A is the simplest; it’s for e-commerce merchants who fully outsource all cardholder data processing and don't store any data electronically.
• SAQ A-EP applies to e-commerce merchants who manage their own website but redirect users to a third party for payment processing.
• SAQ B, B-IP, C, and C-VT are for merchants using different payment methods, such as manual entry via a web-based virtual terminal (SAQ C-VT).
• SAQ D is the most comprehensive and is used when no other SAQ type applies, or for all service providers.
• SAQ P2PE is for merchants using a PCI-approved Point-to-Point Encryption solution, which helps reduce their scope.

Many SAQ types also require external vulnerability scans by an Approved Scanning Vendor (ASV).

» Know which PCI DSS path fits your business—so you can avoid these PCI DSS pitfalls

Number of Questions and What Determines the SAQ's Length

The number of questions in each PCI SAQ varies widely, directly reflecting the complexity of the merchant's cardholder data environment. The more a merchant stores, processes, or transmits card data, the more PCI DSS requirements apply, which increases the number of questions.

• SAQ A is the shortest, with around 30-50 questions. This is because it applies to merchants who fully outsource all cardholder data functions.
• SAQ C and C-VT typically have more questions, about 70-80, as they address software and connected-terminal security.
• SAQ D is the most comprehensive, containing over 300 questions, as it’s used by merchants and service providers who handle card data directly.

The length is determined by a merchant's level of involvement in managing the payment environment.

» Learn more: Here are the benefits of PCI DSS compliance

Common SAQ Question Types

SAQs are directly based on specific PCI DSS requirements. The SAQs are organized to cover only the subset of requirements that apply to a particular merchant environment.

Common Questions Usually Ask for Confirmation On:

• Security controls: Things like network and wireless security, firewall configurations, and physical access controls.
• Data protection: How cardholder data is protected, whether it's stored, and what encryption methods are used.
• Vulnerability management: If regular scans are performed and patches are applied.

For example, an SAQ might include questions from Requirement 2 (secure vendor-supplied defaults) or Requirement 3 (protect stored cardholder data) if those requirements apply to the merchant’s specific SAQ type.

» Explore the standards you should meet when building a security culture

How to Prepare for the SAQ

Before starting the SAQ, your organization must perform several key preparatory actions to ensure the process is accurate and efficient.

System Inventory

Start by creating a detailed inventory of all IT assets and business processes that handle payment information. This involves identifying all systems that store, process, or transmit cardholder data (CHD), as well as any components that could affect their security.

The inventory should be kept up-to-date and include a description of each component's function. This step is crucial for accurately defining the scope of your PCI DSS review.

Risk Assessment

Conduct a risk analysis for any PCI DSS requirement that explicitly calls for it. This documented analysis should identify protected assets, potential threats, and contributing factors, along with a justification for how your processes minimize risk. This assessment must be reviewed annually and updated as needed.

» Here are 6 things you should know before hiring a risk assessment provider

Documentation Review

Gather and review all relevant documentation. This includes network diagrams, data flow diagrams, security policies, change control records, and training records. It is essential that your network and data flow diagrams are current and accurately reflect your PCI scope. Additionally, policies for secure configurations, data retention, and incident response must be in place and well-documented.

» Learn how to build a robust PCI DSS security strategy beyond compliance

The SAQ Completion Process: Who's Involved?

The SAQ completion process should involve multiple roles across an organization to ensure accuracy. These roles typically include:

• Merchant managers or designated departmental staff who act as the primary contacts and coordinate the process.
• Technical teams (IT/network/security), who provide information on system security, network controls, and vulnerability management.
• Compliance officers or specialists, who help interpret PCI standards and validate policies.
• Operational teams, who confirm day-to-day practices, training, and adherence to security policies.

» Get started with GRSee’s PCI DSS solutions to simplify your security strategy

Responding to "No," "N/A," or "Compensating Control"

Responding to a SAQ question with "No," "N/A," or "Compensating Control" requires careful documentation to maintain compliance integrity.

• "Not in Place" (No): This means the requirement isn't met. Answering "No" results in a "Non-Compliant" status and requires an Action Plan (often in Part 4 of the SAQ) detailing the remediation steps and an expected completion date. This is also used if a legal restriction prevents compliance.
• "Not Applicable" (N/A): This can only be used when a requirement genuinely doesn't apply to your environment. You must verify this through testing and provide a detailed explanation in a supporting appendix (e.g., Appendix D for SAQ A).
• "In Place with CCW" (Compensating Control): Use this for requirements that can't be met as stated due to a legitimate technical or business constraint. The risk, however, is sufficiently mitigated by another control. You must complete a Compensating Controls Worksheet (Appendix C) that explains the constraint, the compensating control's objective, the risks it mitigates, and how it's validated and maintained.

» Did you know? GRSee can support your efforts to strengthen your security by building a robust PCI DSS strategy, beyond compliance

How to Submit Your PCI DSS SAQ

Submission Recipients

You must submit your SAQ to your acquiring bank. This is the financial institution that processes your credit card payments. Other entities that may request your SAQ include:

• Payment processors
• Card brands (e.g., Visa, Mastercard)

The Complete Submission Package Typically Includes

• The completed SAQ
• Your Attestation of Compliance (AOC)
• Any additional documents, like reports from an ASV

Industry and Regional Differences

While the general rule is to submit to your acquirer, the specific requirements can vary by industry and by region. Different banks may have their own policies on:

• How to submit your SAQ
• When to submit it
• What additional documents are needed

» Still confused? Here's everything you need to know about PCI DSS

Confident SAQ Submission

Make submission stress-free—GRSee ensures your SAQ meets every requirement.

Contact Our Experts

PCI DSS v4.0 Changes

PCI DSS v4.0 introduced several significant changes that businesses need to be aware of when completing the SAQ. These updates were designed to address modern security threats and promote a continuous compliance approach.

Key Changes to SAQ Completion

• New requirements for e-commerce: PCI DSS v4.x introduced Requirements 6.4.3 and 11.6.1, specifically addressing e-skimming risks by mandating management and monitoring of payment page scripts. These requirements are included in SAQ A-EP, SAQ D for Merchants, and SAQ D for Service Providers.
• SAQ A vulnerability scans: A significant addition for SAQ A is the requirement for external vulnerability scans performed by an ASV.
• Reporting options: The assessment finding "In Place with Remediation" has been removed from the Report on Compliance (ROC), though still mentioned in SAQ A documentation.
• No customized approach for SAQs: Entities completing a Self-Assessment Questionnaire are not eligible to use the "Customized Approach". This approach is only available for assessments documented in a full ROC.
• Future-dated requirements: Many new requirements introduced in v4.0 were initially "best practices" but became mandatory after 31 March 2025, emphasizing a shift towards continuous compliance.

» Learn more about the key changes in PCI DSS 4.0 requirements and how it can affect your business

Simplifying SAQ Completion with GRSee

Successfully completing your SAQ is a significant step toward achieving and maintaining PCI compliance. The process requires a deep understanding of your specific cardholder data environment and a commitment to accurate, well-documented responses. By dedicating time to proper preparation, conducting thorough internal assessments, and gathering the right evidence, you can confidently attest to your security posture.

At GrSee, we’ve guided many organizations through this process, with success stories that show how our expertise makes a real difference. We can help your organization with this complex journey, ensuring a smooth and accurate submission.

» Ready to begin? Contact us to learn more about our PCI DSS services