PCI DSS Compliance: RoC vs. SAQ-Which One Do You Need?
Understanding whether your business needs RoC or SAQ PCI DSS compliance is essential to protect cardholder data and meet industry standards.
Published July 2, 2025
If your business processes payment cards, you need to understand the importance of PCI DSS compliance. Knowing whether to complete a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ) can be confusing. The RoC PCI DSS compliance process involves a detailed audit, while the SAQ is a simpler self-check. Choosing the right path depends on your business size, payment methods, and risk level.
Getting this right helps protect your customers and keeps your payment processing running smoothly. In this blog, we will explain the differences between RoC and SAQ and guide you on which option fits your business needs.
» Meet PCI DSS requirements easily: Contact us
The table below outlines the PCI DSS merchant levels, their annual transaction volumes, and the general validation requirements (RoC vs. SAQ) at a glance:
Keep in mind that other factors beyond transaction volume can also influence your PCI DSS requirements. Read on to get the full details.
What Is a RoC?
The RoC is a formal audit carried out by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). It involves an in-depth review of how an organization protects cardholder data, examining internal policies, procedures, network design, and overall security posture.
RoCs are mandatory for Level 1 merchants and high-volume service providers and are typically required by acquiring banks or card brands. The main objective is to provide independent, third-party assurance that your environment meets all PCI DSS requirements.
Completing a RoC usually takes longer and costs more than an SAQ. You’ll need to hire a QSA who performs a detailed review that can last weeks, depending on your business size and complexity.
Expenses often include:
- Assessor fees
- Staff time
- Costs to address any security gaps found
Your team will also need to gather documentation, answer questions, and assist throughout the process.
Pros
- Conducted by certified assessors, offering high credibility.
- Helps identify and fix compliance gaps early.
- Builds trust with banks, partners, and clients.
- Prepares organizations for future audits.
Cons
- Time-consuming and resource-intensive.
- Expensive, especially for smaller businesses.
- Not suitable for low-risk, low-volume environments.
- Requires internal coordination and detailed evidence.
Take Note: PCI DSS has four merchant levels based on annual transaction volume:
- Level 1: Over 6 million transactions; requires a full RoC audit by a certified assessor.
- Level 2: 1 to 6 million transactions; usually completes an SAQ but may need a RoC.
- Level 3: 20,000 to 1 million e-commerce transactions; completes an SAQ.
- Level 4: Fewer than 20,000 e-commerce or up to 1 million other transactions; completes a simpler SAQ.
» Learn more: Here are the benefits of PCI DSS compliance
Achieve PCI DSS Compliance
GRSee helps you manage the RoC process smoothly and confidently from start to finish.
What Is an SAQ?
The SAQ is a set of yes/no questions that organizations use to check whether they meet PCI DSS standards. It covers all 12 PCI DSS requirements and is generally used by Level 2–4 merchants and smaller service providers.
Each SAQ version is tailored to specific business types and payment methods. The SAQ can be completed internally or optionally reviewed by a QSA, depending on your acquiring bank’s requirements.
Pros
- Cost-effective and flexible for smaller businesses.
- Easier to complete without third-party assessors.
- Tailored versions for different processing methods.
- Helps maintain basic PCI compliance.
Cons
- Lower assurance due to self-reporting.
- May miss critical security issues if done incorrectly.
- Not accepted by all stakeholders for high-risk environments.
- Requires strong internal knowledge of security requirements.
» GRSee helps you complete your SAQ correctly and avoid common PCI DSS myths while staying compliant
Structural and Content Differences Across RoC and SAQ Types
The RoC is a full formal report covering all PCI DSS requirements after a thorough audit, primarily for large, high-volume organizations. It includes on-site inspections and interviews, making it the most rigorous form of validation.
PCI DSS SAQ types vary depending on how a business processes payment data and the associated risk level:
- SAQ A: This is for e-commerce or mail/phone order businesses that completely outsource payment processing to PCI-validated third parties and don’t touch card data at all.
- SAQ A-EP: This is for online businesses that outsource payment processing but still manage their own website, which could affect the security of transactions, even if it doesn’t collect card data directly.
- SAQ B: This is for merchants using standalone card terminals that connect via a phone line (dial-out) and don’t store cardholder data electronically.
- SAQ B-IP: This is for merchants using standalone card terminals that connect to the internet (IP-based), with no cardholder data storage.
- SAQ C and C-VT: This is for merchants using either a virtual terminal to manually enter one transaction at a time or a limited-use payment application connected to the internet. You don’t store any cardholder data on your systems.
- SAQ D: This is for any merchant or service provider that doesn’t qualify for one of the above types. If your business stores, processes, or transmits cardholder data directly, this is the SAQ for you. It’s the most detailed and covers all PCI DSS controls.
Take Note: As the risk and data handling increase, SAQ complexity rises to match the security requirements.
Which PCI DSS Level Applies to You?
Use our PCI DSS guide to identify your compliance level based on your cardholder data environment.
» Do you work in Fintech? Consider PCI-DSS as a baseline
Impact of PCI DSS Version 4.0.1 on RoC and SAQ
PCI DSS version 4.0.1 brings some important changes that affect both RoC and SAQ assessments.
- For the RoC, auditors now look deeper, not just if controls exist, but how well they’re working over time. Organizations can also use a new “customized approach” to meet security goals in different ways, but this means more detailed documentation and testing.
- For the SAQ, the questions are more detailed and expect clearer evidence, even though it’s still a self-assessment.
Overall, businesses should expect more ongoing checks and stronger proof that security measures aren’t just set up but actively maintained. The focus is shifting from just ticking boxes to building a culture of continuous security.
This means more responsibility and flexibility, especially if companies want to use alternative ways to meet requirements.
» Learn more about the key changes in PCI DSS 4.0 requirements and how it can affect your business
3 Business Factors Determining Whether to Pursue a RoC or an SAQ
The decision to complete a RoC or a SAQ largely depends on specific business characteristics.
1. Annual Transaction Volume
- Organizations processing a high number of card transactions, typically over 6 million per year, are generally required to undergo a RoC. This is a detailed, expert-led audit that provides thorough validation of PCI DSS compliance.
- Smaller businesses with fewer transactions usually qualify to complete an SAQ, which is simpler and self-administered.
» Learn more: What is good compliance, and how to get started?
2. Technology Infrastructure
- Businesses that store, process, or transmit cardholder data directly or have complex payment environments are usually required to complete a RoC. This is because the complexity increases potential risks, demanding a deeper evaluation.
- Conversely, organizations that fully outsource payment processing or use straightforward payment terminals often qualify for an SAQ.
3. Payment Channels
- The method of accepting payments influences the required compliance validation. E-commerce businesses with integrated or custom payment systems often need a RoC or a more detailed SAQ type.
- Retail locations using standalone card terminals or basic point-of-sale devices typically meet PCI requirements through simpler SAQ versions.
» GRSee can support your efforts to strengthen your security by building a robust PCI DSS strategy, beyond compliance
Influence of Banks, Processors, and Clients on PCI DSS Compliance Requirements
Sometimes, even if a business qualifies to use an SAQ, its acquiring bank, payment processor, or major clients may require a full RoC audit. These stakeholders want stronger assurance that cardholder data is well protected. They may insist on a RoC to get an independent, thorough review, especially if the business handles sensitive data or is part of a larger payment ecosystem.
In these cases, the business must complete the RoC to maintain its banking relationships, contracts, or payment processing privileges, regardless of transaction volume or usual qualification criteria.
» Still confused? Here's everything you need to know about PCI DSS
Risks of Using an SAQ Instead of a Required RoC
- Increased risk of data breaches: Skipping the detailed RoC audit means missing expert security reviews. The SAQ’s simpler self-assessment may overlook serious vulnerabilities, leaving card data exposed to hackers. Breaches can result in financial losses, legal penalties, and damage to customer trust.
- Fines and payment processing loss: Failing to complete a RoC when required leads to non-compliance. This can trigger fines from payment brands and banks. Worse, businesses risk losing their ability to process credit cards, disrupting revenue and operations.
- Damaged business relationships: Major clients and partners may demand the higher assurance RoC provides. Using an SAQ instead can result in lost contracts or weakened trust, harming long-term growth.
» Make sure you avoid these common PCI DSS compliance pitfalls before they impact your business
GRSee Helps You Get Ahead in PCI Compliance
As your business grows and handles more payment types or larger transaction volumes, preparing to transition from an SAQ to a RoC becomes essential. At GRSee, we help you build strong security foundations by documenting policies clearly, securing your systems, and training your team on PCI standards.
We guide you through understanding the PCI DSS compliance process, including mapping data flows and planning resources for audits. GRSee has successfully helped businesses of all sizes meet PCI requirements with confidence, whether starting with an SAQ or advancing to a RoC. Treating compliance as an ongoing effort—not just a checkbox—makes the shift smoother as your business evolves.
» Get started with GRSee’s PCI DSS solutions to simplify your security strategy
RoC vs. SAQ: Common Questions Answered
What is the difference between a RoC and an SAQ?
- A Report on Compliance (RoC) is a detailed, formal audit conducted by a certified assessor, required mainly for large, high-volume merchants.
- The Self-Assessment Questionnaire (SAQ) is a simpler, self-administered checklist suitable for smaller businesses with lower transaction volumes.
Which businesses need to complete a RoC?
Level 1 merchants processing over 6 million transactions annually and high-volume service providers must complete a RoC. Sometimes, acquiring banks or major clients also require a RoC regardless of transaction volume for additional assurance.
Can smaller businesses use an SAQ instead of a RoC?
Yes, most smaller businesses at Levels 2, 3, and 4 typically complete an SAQ. It’s tailored to different payment methods and environments and is less resource-intensive than a RoC. However, some banks or clients may still request a RoC.
How can my business prepare for transitioning from an SAQ to a RoC?
Start by strengthening your security foundation: document policies, train your staff, and monitor your systems. Consult with a QSA early to understand RoC requirements. Plan your budget and resources since RoC audits take more time and cost more than SAQs.
