Blog

What is a PCI DSS Self-Assessment Questionnaire?

Self-assessment questionnaires help evaluate and prove PCI DSS compliance. Find out which SAQ is right for your organization

Katrina Dalao
Sr. Content Marketing Specialist, CIPM
June 15, 2023

Two female lawyers converse on a courthouse's front steps.

If your organization deals with any type of cardholder data, then you’ve most likely heard of Self-Assessment Questionnaires. 

A Self-Assessment Questionnaire (SAQ) is a formal report of an organization’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). It evaluates whether a merchant or service provider has taken the necessary measures to secure cardholder data and documents its overall security posture.  

The process of completing an SAQ is different for every organization. Even before the assessment starts, there are nine different types of SAQs to choose from, depending on your specific process payment method and cardholder environment. 

Below, we cover each SAQ type, what each one entails, and how to identify the most applicable SAQ for your environment. 

 

What is a PCI DSS Self-Assessment Questionnaire?

The Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaire (SAQ) is a validation tool designed to help merchants and service providers evaluate and report their PCI DSS compliance. 

Each SAQ starts with a “Before you Begin” section that outlines the type of cardholder environment covered by the specific questionnaire. This is followed by a series of “yes” or ”no” questions about all aspects of an organization's payment card processing activities and security controls, encompassing network security, system configuration, access control, and the like.

SAQs also include an Attestation of Compliance (AOC), which serves as a formal declaration of the organization’s compliance with PCI DSS requirements. 

In summary, the entire SAQ includes three sections: 

  • Section 1: Assessment Information and Executive Summary (Part 1 and 2 of the Attestation of Compliance)
  • Section 2: PCI DSS Self-Assessment Questionnaire 
  • Section 3: Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable) (Parts 3 & 4 of the AOC)

SAQs are available in an online format or as a downloadable PDF.

 

Who needs to complete a PCI DSS Self-Assessment Questionnaire?

Not every organization is eligible for self-assessment. Only merchants and service providers with lower transaction volumes — less than 6 million annual payment card transactions for merchants, and less than 300,000 annual payment card transactions for service providers — can submit an SAQ to demonstrate PCI DSS compliance. 

Organizations with a higher number of annual transactions are required to submit a more in-depth Report on Compliance (ROC). 

Read more about the different Merchant and Service Provider Levels as outlined by PCI DSS. 

For more information, organizations should also consult with their acquiring bank or payment brand to determine whether they are eligible to submit an SAQ and which SAQ is appropriate for their cardholder environment.

 

Which PCI SAQ is right for your business

There are nine types of PCI DSS SAQs — eight for merchants and one for service providers.* Determining which one is most appropriate for your organization depends on two factors: Whether you’re a merchant or service provider, and how you process card payments. 

See the following explanations to determine which SAQ type is best for your organization: 

 

SAQ A

Card-not-present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. 

 

SAQ A-EP

Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on merchant’s systems or premises. Applicable only to ecommerce channels. 

 

SAQ B 

Merchants using only: Imprint machines with no electronic cardholder data storage and/or standalone dial-out terminals with no electronic cardholder data storage. Not applicable to ecommerce channels. 

 

SAQ B-IP 

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to ecommerce channels. 

 

SAQ C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to ecommerce channels.

 

SAQ C 

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to ecommerce channels. 

 

SAQ P2PE-HW

Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE (point-to-point encryption) solution, with no electronic cardholder data storage. Not applicable to ecommerce merchants.  

 

SAQ D

SAQ D for Merchants: All merchants who are not included in descriptions for the above SAQ types. 

SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ. 

* This information is sourced directly from pcisecuritystandards.org

 

Flow chart depicting which SAQ best apply to environment

Download the full pdf

 

How to submit your PCI DSS SAQ?

SAQs are typically submitted to your organization's acquiring bank or payment card brand. It’s best to confirm whether they have specific instructions on how to submit your SAQ or any additional documentation or evidence.

Once the SAQ has been filled out and all supporting documentation has been collected (such as AOC), submit everything to your acquiring bank or payment card brand and await any next steps. Submission is typically done by uploading the documents through an online portal or using a secure file transfer method.

If your SAQ is deemed compliant, you will receive confirmation of your PCI DSS compliance. If there are any issues or areas of non-compliance, you will need to address these with additional clarification or information if necessary. 

 

How OneTrust helps with PCI DSS compliance.

If you need more information on how to select the appropriate PCI DSS SAQ for your organization, OneTrust is here to help. Our Certification Automation solution helps determine your compliance scope, identify any security gaps, and fill out the required SAQs. 

With OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.  


You may also like

Webinar

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more

Infographic

Technology Risk & Compliance

5 key areas for improved automation in InfoSec compliance

Streamline and scale your organization’s InfoSec compliance program by focusing on these five key areas of automation

October 02, 2023

Learn more

eBook

Technology Risk & Compliance

Prioritizing the right InfoSec frameworks for your organization

In this free eBook, we explore the basics of three top InfoSec frameworks and how to decide which is the best fit for your organization.

September 27, 2023

Learn more