Choosing the correct Self-Assessment Questionnaire is one of the most consequential decisions in a self-assessed PCI DSS validation. Pick the right SAQ and you assess against exactly the requirements that apply to you; pick the wrong one and your entire self-assessment is invalid, either omitting requirements you should meet or burdening you with ones that do not apply. Yet the choice trips up many businesses, because the distinctions can be subtle.
This guide walks through each SAQ type — A, A-EP, B, B-IP, C, C-VT, P2PE, and D — explaining the payment scenario each one fits and the key questions that point you to the right choice. By the end you will be able to identify which SAQ matches how your business actually accepts and handles card payments.
Why choosing the right SAQ matters
The SAQ types exist because the PCI DSS requirements that genuinely apply to a business depend on how it handles card data. Each SAQ contains only the subset of requirements relevant to a particular payment scenario, so selecting the one that matches your situation ensures you assess against the right controls — no more and no less. The choice defines the scope of your entire self-assessment.
Choosing incorrectly has real consequences. A too-simple SAQ may omit requirements you are actually obligated to meet, producing an attestation that does not reflect your true risk and could collapse after a breach. A mismatched SAQ may also be rejected by your acquiring bank. Because so much rides on it, the choice deserves careful thought rather than a quick guess at the most convenient option.
SAQ A: fully outsourced e-commerce
SAQ A is the shortest and simplest, designed for merchants that have fully outsourced all handling of cardholder data to compliant third parties. The classic example is an e-commerce merchant whose checkout is entirely hosted by a payment provider — the customer is redirected to the provider's page, or the payment form is embedded in a way that keeps card data off the merchant's systems entirely.
To qualify for SAQ A, your systems must never store, process, or transmit cardholder data; that responsibility rests wholly with the outsourced provider. Because so little card data touches your environment, the applicable requirements are minimal. Many small online merchants aim for an architecture that qualifies for SAQ A precisely because it dramatically reduces their compliance burden.
Free resource
PCI DSS Compliance Checklist
Download our practical resource to fast-track your PCI DSS compliance.
SAQ A-EP: e-commerce that affects the payment
SAQ A-EP applies to e-commerce merchants who do not directly handle card data but whose website can affect the security of the payment — for example, where the merchant's page includes elements that load the payment form or could be manipulated to capture card data. It is more demanding than SAQ A because the merchant's environment has a greater bearing on payment security.
The distinction between SAQ A and A-EP often comes down to technical details of how the payment page is implemented. If your site directly serves or controls the page that captures card data, even partially, A-EP is likely the correct choice. This is one of the most commonly misjudged distinctions in all of PCI, and getting it right may require examining exactly how your checkout is built.
SAQ B and B-IP: card-present terminals
SAQ B is for merchants that take payments using standalone, dial-out terminals or imprint machines, with no electronic cardholder data storage. It suits simple card-present setups where transactions are handled by isolated devices rather than integrated systems. SAQ B-IP covers merchants using standalone, approved payment terminals connected via IP, again with no electronic storage of card data.
These SAQ types fit traditional brick-and-mortar scenarios where the payment device is the primary point of contact with card data and the merchant's broader systems are not involved in processing. The key qualifying conditions are the use of approved standalone terminals and the absence of electronic cardholder data storage on the merchant's systems.
SAQ C and C-VT: payment applications and virtual terminals
SAQ C applies to merchants with payment application systems connected to the internet, where card data is processed through an application but not stored electronically after authorization. It suits merchants running a point-of-sale or payment application that is internet-connected, which introduces more risk and therefore more applicable requirements than the standalone-terminal scenarios.
SAQ C-VT is for merchants who process card data through a web-based virtual terminal on an isolated computer, manually keying in transactions, with no electronic storage. Both types sit in the middle of the spectrum: more involved than fully outsourced or standalone-terminal scenarios, but less comprehensive than the full SAQ D, reflecting their moderate level of contact with card data.
SAQ P2PE: validated point-to-point encryption
SAQ P2PE is for merchants using a validated point-to-point encryption solution listed by the PCI Security Standards Council, where card data is encrypted at the point of capture by the device and the merchant has no access to the unencrypted data or the keys. Because the P2PE solution removes usable card data from the merchant's environment, the applicable requirements are significantly reduced.
This SAQ type rewards the use of strong, validated encryption technology by recognizing the reduced risk it creates. To qualify, the solution must be a validated P2PE offering, not merely encryption in general, and the merchant must genuinely have no ability to decrypt the data. For eligible merchants, P2PE can be an attractive way to simplify both security and validation.
SAQ D: everything else
SAQ D is the most comprehensive questionnaire, covering all the PCI DSS requirements. It applies to merchants that do not meet the eligibility criteria for any of the simpler SAQ types — typically those that store, process, or transmit cardholder data more directly — and to service providers eligible to self-assess. Because it spans the full requirement set, SAQ D is by far the largest and most demanding self-assessment.
If your environment handles card data in ways that do not fit the narrower scenarios, SAQ D is the appropriate choice. While it involves the most work, it is the correct path when the simpler types genuinely do not apply, and attempting to use a lighter SAQ to avoid it would produce an invalid assessment. For complex environments, SAQ D reflects the reality of their broader contact with card data.
How to confirm your choice
To confirm which SAQ applies, work through how your business accepts payments: whether you are e-commerce, card-present, or both; whether card data touches your systems or is fully outsourced; whether you use approved standalone terminals, payment applications, virtual terminals, or validated P2PE; and whether you store any card data electronically. Your answers narrow the field to the correct type.
Where the choice is ambiguous — particularly the SAQ A versus A-EP distinction for e-commerce — it is worth examining the technical details of your payment integration or seeking expert input. Confirming your SAQ type with your acquiring bank is also wise, since they accept the final validation. A few minutes confirming the right type prevents the far larger cost of an invalid self-assessment.
How ISpectra helps you pick and complete the right SAQ
Identifying the correct SAQ for your payment model, and then completing it accurately, is the foundation of a valid self-assessed route to pci dss certification. ISpectra Technologies helps businesses analyze how they handle card data, determine the right SAQ type with confidence, implement the controls behind it, and complete the questionnaire and Attestation of Compliance correctly.
With free vulnerability assessment and penetration testing to satisfy the supporting requirements and a 10% discount when PCI DSS is bundled with SOC 2 or ISO 27001, ISpectra removes the guesswork from SAQ selection and ensures your self-assessment matches your real environment and is accepted without question.
Free consultation
Need help with PCI DSS?
Talk to our certified compliance team — we’ve supported 200+ audits.