How Do I Determine Which SAQ To Complete?

Answer: This is based on how you intend to process credit card information.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS 3.2.1 SAQ to meet various scenarios.

As shown below, you will need to select the appropriate SAQ document based on the manner in which you carry out business. For instance, e-commerce businesses would only need to look at rows where the column for “E-commerce Channel” is checked. Business that store cardholder data electronically would need to make sure the column for “Electronic Cardholder Data Storage Allowed” is checked.

SAQ D is a catch all for businesses that don’t fit nicely into the other categories. Any business is free to use SAQ D, although D contains the most questions and requirements.

SAQ Breakdown

Further guidance on which SAQ best applies to your business can be found in the official PCI guidelines or by discussing your situation with 1 Stop PCI Scan representatives.