If you’ve been told to complete a Self-Assessment Questionnaire (SAQ) as part of your PCI DSS v4.0.1 compliance, you might be wondering: Which version applies to me?
The right SAQ depends on how you accept payment cards, your merchant level, and how your payment environment is structured. Choosing the correct SAQ is crucial—it ensures your validation process is accurate and keeps you compliant with PCI DSS.
At Backbone Security, our 1 Stop PCI Scan service helps you not only meet the quarterly scanning requirement, but also navigate the SAQ process with confidence.
A Self-Assessment Questionnaire (SAQ) is a series of yes/no questions that help merchants and service providers evaluate their PCI DSS compliance. There are multiple types of SAQs, each tailored to a specific payment environment.
SAQs are typically used by Level 2, 3, and 4 merchants. Level 1 merchants are required to undergo a Report on Compliance (ROC) by a QSA.
Use the table below to identify the SAQ that matches your payment environment.
| SAQ Type | Use Case | Who It’s For |
|---|---|---|
| SAQ A | Card-not-present merchants using only fully outsourced e-commerce and/or mail/telephone order processing | You have no electronic storage, processing, or transmission of cardholder data on your systems |
| SAQ A-EP | E-commerce merchants that outsource payment processing but retain partial control over the website (e.g., JavaScript, iframes) | You don’t store card data, but your site can affect the security of the transaction |
| SAQ B | Merchants using only imprint machines or standalone dial-out terminals without internet connectivity | No cardholder data is stored electronically |
| SAQ B-IP | Merchants using IP-connected standalone terminals that send card data directly to the processor | You don’t store cardholder data electronically |
| SAQ C-VT | Merchants entering cardholder data manually into a virtual terminal on a computer not used for other internet activity | You don’t store card data electronically |
| SAQ C | Merchants with payment systems connected to the internet but with a segmented and secure network | No electronic storage of cardholder data |
| SAQ P2PE | Merchants using a PCI-validated Point-to-Point Encryption (P2PE) solution | All payment terminals are managed and listed as validated P2PE devices |
| SAQ D – Merchant | All other merchants not covered by SAQ A through P2PE | You store cardholder data or have complex systems |
| SAQ D – Service Provider | All service providers eligible to complete an SAQ rather than an ROC | Applies to providers storing, processing, or transmitting cardholder data on behalf of clients |
If you’re uncertain which SAQ is right for your business, you’re not alone. The wrong SAQ can delay your compliance efforts or lead to a failed validation.
✅ 1 Stop PCI Scan includes access to expert guidance from the Backbone Security team, so you’ll always know:
Which SAQ to complete
What questions to expect
How scanning ties into your SAQ
Many modern merchants use third-party platforms like Stripe, Square, or PayPal. If:
You do not store, process, or transmit cardholder data on your systems
You rely entirely on validated third-party processors
You only use redirects or hosted iFrames
…you may be eligible for SAQ A.
However, if you control elements of your website (e.g., embedded scripts or payment forms), you may fall under SAQ A-EP, which has stricter requirements.
1 Stop PCI Scan – A Division of Backbone Security, Inc.