The 5 Most Common PCI DSS SAQs: Which One Do You Need?

Managing cardholder data properly is a critical responsibility for businesses that accept payments. Different types of PCI DSS Self-Assessment Questionnaires (SAQs) apply depending on how you handle cardholder data and the channels you use. Choosing the right SAQ ensures compliance, reduces risk, and keeps customer transactions secure.

In this blog, we will explore the most common SAQ types, scenarios for multiple SAQs, and when you may need to move between SAQ types.

» Take the first step towards PCI DSS compliance: Reach out to our experts

Businesses Required to Complete an SAQ Under PCI DSS

1. Service providers that store, process, or transmit cardholder data must comply with PCI DSS. Those handling fewer than 300,000 transactions annually may complete SAQ D, while larger providers must undergo a full audit and Report on Compliance (RoC) by a Qualified Security Assessor.
2. Merchants processing fewer than 1 million transactions per year (typically PCI Levels 3 or 4) can validate compliance through an SAQ, while those storing, transmitting, or processing cardholder data must use SAQ D.
3. Smaller businesses that fall under PCI Levels 3 or 4, and some Level 2 merchants (1–6 million transactions annually, with acquiring bank approval), may complete an SAQ to demonstrate compliance.

» Learn more: What is good compliance, and how to get started?

Need Help Identifying Your PCI DSS Level?

Use our expert guide to avoid compliance challenges by targeting the appropriate PCI DSS level for your business.

Learn More

Importance of Compliance

Meeting PCI DSS compliance requirements plays a key role in protecting both business operations and customer trust. Regardless of size or industry, maintaining compliance ensures payment security remains a top priority.

• It strengthens data protection and minimizes the risk of payment fraud or data breaches.
• It builds lasting trust with customers, acquiring banks, and business partners.
• It helps businesses avoid costly penalties and the potential suspension of card processing privileges.
• It ensures alignment with recognized industry security standards and operational best practices.
• It promotes continuous security awareness, vulnerability management, and proactive risk mitigation.
• It enhances business resilience by ensuring systems are prepared for evolving cyber threats.

» Discover how to succeed with PCI DSS compliance

The Five Most Common PCI DSS SAQ Types

Each Self-Assessment Questionnaire corresponds to a specific payment setup and level of control over cardholder data. Below are the five most common SAQs and what each one covers.

1. SAQ A

SAQ A is the most streamlined of all SAQs. It’s used when every aspect of cardholder data handling is outsourced to a PCI DSS–validated provider. Merchants eligible for this form never touch or store card data on their systems.

This approach reduces scope, risk, and technical complexity while maintaining compliance through proper vendor management.

• Merchants must confirm that no cardholder data is stored, processed, or transmitted within their systems under any circumstances.
• They are required to document the specific security responsibilities between themselves and the payment provider to ensure there are no gaps in compliance.
• Merchants must verify annually that all service providers remain PCI DSS–certified through updated Attestations of Compliance (AOCs).
• They must also maintain secure configurations and change control practices for any website components that could influence the payment process.

• All pages associated with the payment process should use HTTPS secured with TLS 1.2 or higher to prevent data interception.
• Administrative access must be restricted to authorized personnel only, and routine vulnerability scans should be conducted to detect weaknesses in public-facing web assets.
• All software and plugins must remain patched and up to date to mitigate the risk of known exploits.

» Make sure you know the difference between a vulnerability scan and a penetration test

2. SAQ A-EP

SAQ A-EP applies to merchants who host or control elements of their payment page but still rely on third parties for actual card data processing. It’s increasingly common among modern e-commerce sites that embed payment scripts or iframes.

The questionnaire is broader than SAQ A because the merchant’s web infrastructure can directly affect payment security.

• Merchants must maintain secure web server configurations by removing default credentials, disabling unnecessary services, and applying vendor-recommended hardening guidelines.
• A vulnerability management program must be in place, covering continuous patching, scanning, and remediation of identified risks.
• Penetration testing should be performed regularly to assess both the network and the application layer for exploitable weaknesses.
• Merchants must enforce strict access controls to limit administrative privileges and implement system logging to monitor all user activities.
• Every service provider connected to the merchant’s payment process must undergo annual PCI DSS compliance validation to confirm ongoing adherence to standards.

» Read more: What is penetration testing and how does it fortify your cybersecurity?

• Firewalls and intrusion prevention systems should be deployed to separate public-facing web servers from internal environments.
• Administrative accounts must use multi-factor authentication (MFA) to prevent unauthorized access.
• A web application firewall (WAF) should be implemented to detect and block injection or script-based attacks. Merchants should enable integrity monitoring to identify any unauthorized code changes.
• TLS configurations must be reviewed regularly to ensure strong encryption is maintained.

» Explore the standards you should meet when building a security culture

3. SAQ B-IP

SAQ B-IP is typically used by smaller merchants relying on dedicated payment terminals that communicate directly with processors via IP. Because these devices are PCI-approved and isolated from other systems, the scope remains limited and manageable.

• Merchants are required to implement network segmentation and firewalls that isolate payment terminals from all other business networks and systems.
• They must maintain an up-to-date inventory of all payment devices and ensure each one is PCI-approved.
• Merchants must confirm that no cardholder data is ever stored locally on any device or connected system.
• A documented incident response and monitoring procedure must be established to quickly identify and react to any potential terminal compromise.

• Each payment terminal should be connected through a dedicated network segment or VLAN separate from other business systems.
• Firmware and software updates must be installed directly from approved vendors to maintain device integrity.
• Unused network ports and protocols should be disabled to reduce exposure to threats.
• Continuous network traffic monitoring should be in place to detect unusual activity, and firewall configurations must be reviewed regularly to ensure ongoing isolation.

» Learn how to build a robust PCI DSS security strategy beyond compliance

4. SAQ C-VT

SAQ C-VT is widely used by merchants who process payments through third-party virtual terminals on secure, isolated devices without storing cardholder data. Its popularity comes from the simplified compliance scope, which reduces the time, cost, and effort compared to more complex SAQs.

This device is not connected to the merchant’s internal network, ensuring cardholder data never passes through in-house systems.

• Merchants must maintain a secure network with properly configured firewalls.
• All vendor-supplied default passwords must be changed to prevent unauthorized access.
• Cardholder data must be encrypted during transmission to protect against interception.
• Systems must be maintained securely with up-to-date anti-virus software and timely patching.
• Access to cardholder data must be restricted with unique IDs and strong authentication.
• Regular vulnerability testing, including scans and inspections, must be conducted.
• Written security policies, staff training, and incident response procedures must be maintained.

• Network security: Firewalls must isolate the virtual terminal device from other network segments to prevent unauthorized access.
• System configuration: Secure settings must be applied, including changing default passwords and disabling unnecessary services.
• Data protection: Cardholder data must never be stored on merchant systems and must be encrypted during transmission.
• Anti-malware: Devices must have up-to-date anti-virus software installed and regularly scanned.
• Access control: Only authorized personnel may access the virtual terminal, with unique IDs assigned for accountability.
• Paper records: If cardholder data exists on paper, it must be securely locked and destroyed when no longer needed.

5. SAQ-D

SAQ-D is the most extensive and complex of all SAQ types. This form covers every PCI DSS requirement in full. Because it involves systems that handle or store sensitive payment data, SAQ D demands rigorous documentation, ongoing monitoring, and advanced security controls.

Full implementation of all 12 PCI DSS control requirements, including:

• Maintaining secure networks and systems with properly configured firewalls and routers.
• Protecting stored cardholder data using encryption, masking, and strict access controls.
• Encrypting transmission of cardholder data across open or public networks.
• Implementing vulnerability management through patching, anti-malware, and secure development practices.
• Restricting access to cardholder data by business need-to-know principles.
• Assigning unique IDs to all personnel with computer access.
• Tracking and monitoring all access to network resources and cardholder data.
• Regularly testing security systems and processes.
• Maintaining comprehensive information security policies, including risk management, awareness training, and incident response.

• Firewalls and network segmentation must isolate systems that handle cardholder data.
• Data-at-rest must be encrypted using strong cryptographic algorithms such as AES-256.
• Logging and monitoring must be centralized through secure SIEM tools to detect suspicious activity.
• Access must be governed by the principle of least privilege, with MFA required for all administrative accounts.
• Vulnerability scans and penetration tests must be conducted at least quarterly, with documented remediation.
• All systems must have strict change management procedures, ensuring updates are tested and authorized before deployment.
• Physical security controls (e.g., locked data centers, surveillance) must be enforced for all environments storing or processing cardholder data.

» Know which PCI DSS path fits your business—so you can avoid these PCI DSS pitfalls

Scenarios Where Businesses Qualify for Multiple SAQs

Businesses with multiple payment channels can qualify for different SAQ types simultaneously. Each channel’s cardholder data environment should be assessed separately, with the appropriate SAQ completed for each.

1. Online and In-Person Payments

A business accepting payments both online and in physical stores may qualify for different SAQs: SAQ A for outsourced online payments and SAQ B-IP for standalone IP-connected terminals in stores.

The business should clearly separate the payment environments, complete each SAQ based on the specific channel’s requirements, and submit all assessments together to their acquiring bank. Defining scope carefully prevents overlap and ensures complete compliance coverage.

» Learn more: Here are the benefits of PCI DSS compliance

2. E-commerce with Embedded Payment Forms

Merchants with e-commerce sites that embed third-party payment forms (iframes or scripts) may use SAQ A-EP, while also using virtual terminals for mail or telephone orders, requiring SAQ C-VT.

Each environment’s controls and scope differ, so the business must complete both SAQs independently, ensuring that the security of each payment method is addressed correctly.

3. Complex Multi-Channel Retailers

A retailer with multiple payment methods—online sales, physical card-present terminals, and mail orders—may need SAQ A, SAQ B-IP, and SAQ C-VT respectively.

They must perform data flow mapping, select the appropriate SAQ per channel, maintain separate compliance documentation, and coordinate submission to the acquiring bank. This approach ensures full PCI DSS compliance across all payment channels.

» Still confused? Here's everything you need to know about PCI DSS

How GRSee Can Support Your Compliance Journey

Handling PCI DSS compliance across multiple payment channels requires careful attention to the right SAQ types and proper security measures. At GRSee Consulting, we help you identify which SAQs apply to your business, implement the necessary technical and operational controls, and keep all documentation in order.

We also coordinate compliance efforts across different payment environments to make sure nothing is overlooked. With our support, you can reduce the risk of data breaches, maintain accountability, and confidently demonstrate compliance to your customers and acquiring banks.

» Get started with GRSee’s PCI DSS solutions to simplify your security strategy