Which SAQ Am I?
Answer a few quick questions to find out which PCI DSS Self-Assessment Questionnaire applies to your business.
Do you store full credit card numbers (PAN) electronically in your database or logs?
How do you accept payments? (Select all that apply)
How do customers enter their card details on your website?
What kind of payment machine do you use?
How do you process the card data you receive over the phone or mail?
SAQ A
The simplest compliance level for e-commerce
What this means for you:
- Approximately 22 requirements to meet
- No vulnerability scans required
- Focus on policies, access control, and vendor management
- Annual self-assessment questionnaire
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ A-EP
E-commerce with direct data handling
What this means for you:
- Approximately 191 requirements to meet
- Quarterly vulnerability scans required (ASV)
- Penetration testing may be required
- Significantly higher security obligations than SAQ A
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ B
Standalone dial-up terminals
What this means for you:
- Approximately 41 requirements to meet
- No vulnerability scans required
- Focus on physical security and terminal management
- One of the simpler retail SAQ types
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ B-IP
Standalone IP-connected terminals
What this means for you:
- Approximately 82 requirements to meet
- Quarterly vulnerability scans required (ASV)
- Focus on network segmentation and terminal security
- More requirements than SAQ B due to internet connectivity
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ C
Payment application systems
What this means for you:
- Approximately 160 requirements to meet
- Quarterly vulnerability scans required (ASV)
- Focus on POS system security and network controls
- Your payment application must be PA-DSS validated
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ C-VT
Virtual terminal only
What this means for you:
- Approximately 79 requirements to meet
- No vulnerability scans required
- Focus on workstation security and access controls
- Your virtual terminal must be provided by a PCI-compliant processor
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
SAQ D
Full PCI DSS validation required
What this means for you:
- All 300+ PCI DSS requirements apply
- Quarterly vulnerability scans required (ASV)
- Annual penetration testing required
- Most comprehensive and resource-intensive SAQ type
- Consider working with a QSA (Qualified Security Assessor)
This result is a recommendation based on your inputs. Confirm your SAQ type with your acquiring bank or payment processor.
Multiple SAQs
You can assess each payment channel independently
What this means for you:
- File a separate SAQ for each payment channel
- Each channel is assessed independently against its own requirements
- Total compliance effort equals the sum of each individual SAQ
- Confirm this approach with your acquiring bank before filing
This result is a recommendation based on your inputs. Confirm your SAQ types with your acquiring bank or payment processor.