For the majority of businesses that accept card payments, PCI DSS compliance is validated not through a formal external audit but through a Self-Assessment Questionnaire, or SAQ. The SAQ lets eligible organizations confirm their own compliance by working through a structured set of questions covering the requirements relevant to how they handle card data. It is the most common validation route, and choosing and completing the right one correctly is essential.
This guide explains what the SAQ is, the different SAQ types and which scenarios they suit, how to select the correct one, how to complete it properly, and the common mistakes that lead to invalid self-assessments. Because the SAQ is self-directed, the responsibility for getting it right falls squarely on the organization, which makes understanding it especially important.
What the SAQ is
The Self-Assessment Questionnaire is a validation tool that allows eligible organizations to assess and attest to their own PCI DSS compliance. It consists of a series of yes-or-no questions, each corresponding to a PCI DSS requirement or sub-requirement, that the organization answers to confirm whether the control is in place. Completing it results in a self-attestation, accompanied by an Attestation of Compliance.
The SAQ exists because requiring every small merchant to undergo a full external audit would be impractical and disproportionate. For organizations whose risk profile does not warrant a Report on Compliance, the SAQ provides a structured, standardized way to demonstrate compliance without the cost and complexity of a QSA-led assessment. It is, in effect, PCI DSS validation scaled to fit smaller and lower-risk environments.
Why there are multiple SAQ types
There is no single SAQ; instead, there are several types, each designed for a particular way of accepting and handling card payments. This exists because the requirements that genuinely apply to a business depend heavily on how it processes cards. A merchant that has fully outsourced its payment page faces far fewer applicable requirements than one that processes card data on its own servers.
By tailoring each SAQ type to a specific scenario, the standard ensures organizations answer only the questions relevant to their situation. This keeps the self-assessment focused and proportionate, sparing a simple e-commerce merchant from requirements that only apply to complex card-present environments. The trade-off is that you must correctly identify which type fits you, because the types are not interchangeable.
Free resource
PCI DSS Compliance Checklist
Download our practical resource to fast-track your PCI DSS compliance.
The main SAQ types
The SAQ types correspond to common payment models. SAQ A is for merchants that have fully outsourced all card handling to compliant third parties, such as e-commerce sites using a hosted payment page. SAQ A-EP is for e-commerce merchants that partially outsource but whose site can affect the security of the payment. SAQ B and B-IP cover certain card-present terminal scenarios.
SAQ C and C-VT cover merchants with payment application systems or virtual terminals, while SAQ P2PE is for merchants using a validated point-to-point encryption solution. SAQ D, the most comprehensive, applies to merchants and service providers that do not fit the simpler categories and handle card data more directly. Each type contains the subset of requirements relevant to its scenario.
How to choose the right SAQ
Choosing the correct SAQ depends entirely on how you accept and process card payments. The key questions are whether you store, process, or transmit card data on your own systems, whether you have outsourced your payment page, whether you use card-present terminals, and whether you use technologies like validated point-to-point encryption. Your answers point to the SAQ type that matches your environment.
This choice is consequential and not always obvious, especially for e-commerce merchants where the distinction between SAQ A and A-EP hinges on technical details of how the payment page is implemented. Getting it wrong undermines the validity of the entire self-assessment, so it is worth confirming your SAQ type carefully, and with expert input if there is any doubt, rather than assuming the simplest one applies.
How to complete the SAQ
Once you have the right SAQ, completing it means working through each question honestly and confirming that the corresponding control is genuinely in place. For each requirement, you should be able to point to real evidence — a configuration, a policy, a process — that supports your answer. The SAQ is an attestation, so answering yes to a control you have not actually implemented is a serious misrepresentation.
Before completing the SAQ, it is wise to perform the underlying work: define your scope, implement the applicable controls, run any required scans, and gather evidence. The SAQ then becomes a confirmation of work already done rather than a wishful checklist. Completing it thoughtfully, with evidence behind each answer, is what makes the resulting attestation trustworthy and defensible.
The SAQ and supporting requirements
Completing the SAQ is usually not the only step in validation. Most organizations with internet-facing systems must also pass quarterly vulnerability scans by an Approved Scanning Vendor, and the SAQ and its Attestation of Compliance are submitted together with evidence of those scans. The SAQ confirms the controls; the scans provide independent technical assurance.
Understanding that the SAQ sits within a broader validation process prevents the mistake of treating it as a standalone exercise. Your acquiring bank typically expects the completed SAQ, the AOC, and passing scan results together. Planning for all of these as a package, rather than focusing solely on the questionnaire, ensures your validation is complete and accepted.
Common SAQ mistakes
The most damaging SAQ mistake is choosing the wrong type, which means assessing against the wrong set of requirements and producing an invalid attestation. Another is answering questions optimistically — marking controls as in place when they are not fully implemented — which creates a false attestation that can unravel after a breach. Failing to keep supporting evidence, or skipping the required scans, also undermines the validation.
These mistakes often stem from treating the SAQ as paperwork to be completed quickly rather than a genuine assessment of real controls. Approaching it seriously — confirming the right type, implementing the controls, gathering evidence, and answering honestly — avoids them and produces a self-assessment that genuinely stands behind your claimed compliance.
When you might outgrow the SAQ
The SAQ suits smaller and lower-risk organizations, but circumstances change. Growing transaction volume can push a merchant into a level that requires a Report on Compliance instead. A change in how you handle card data — bringing payment processing in-house, for example — can move you to a more comprehensive SAQ type or beyond self-assessment entirely. A breach can also elevate your validation requirements.
Recognizing when you are approaching these transitions lets you prepare in advance rather than being caught out. Monitoring your transaction volume and reassessing your SAQ type whenever your payment processes change keeps your validation aligned with your actual situation, and avoids the unwelcome discovery that the questionnaire you have been completing no longer fits.
How ISpectra helps with your SAQ
Selecting the correct SAQ type and completing it accurately is the foundation of a valid self-assessed path to pci dss certification, and small errors here can quietly invalidate the whole effort. ISpectra Technologies helps businesses determine the right SAQ for their payment model, implement the controls behind each answer, gather supporting evidence, and complete the questionnaire and its Attestation of Compliance correctly.
With free vulnerability assessment and penetration testing to satisfy the scanning and testing requirements and a 10% discount when PCI DSS is bundled with SOC 2 or ISO 27001, ISpectra ensures your self-assessment is valid, defensible, and accepted by your acquiring bank the first time.
Free consultation
Need help with PCI DSS?
Talk to our certified compliance team — we’ve supported 200+ audits.