white printer paper on white surface

Not Sure Which SAQ

by

Not Sure Which SAQ? A Beginner’s Guide to Finding Your Right Self-Assessment Questionnaire

Introduction

If you accept credit card payments for your business, you’ve probably heard about PCI compliance and something called an “SAQ.” But with multiple types of SAQs available, many business owners find themselves confused about which one applies to their specific situation.

What You’ll Learn

In this comprehensive guide, you’ll discover exactly how to determine which Self-Assessment Questionnaire (SAQ) your business needs. We’ll walk you through the decision-making process step by step, explain the different types of SAQs in plain English, and help you avoid common mistakes that could put your business at risk.

Why This Matters

Choosing the wrong SAQ isn’t just an administrative error—it can leave your business vulnerable to data breaches, result in hefty fines, and even cause you to lose the ability to process credit card payments. Getting it right from the start protects both your customers and your business.

Who This Guide Is For

This guide is designed for small to medium-sized business owners, office managers, and anyone responsible for payment processing who needs to understand SAQ requirements but doesn’t have a technical background in payment security.

The Basics

Core Concepts Explained Simply

What is an SAQ?
A Self-Assessment Questionnaire (SAQ) is a validation tool created by the Payment Card Industry Security Standards Council (PCI SSC). Think of it as a checklist that helps you evaluate whether your business is following proper security practices when handling credit card information.

Why Do SAQs Exist?
SAQs exist to ensure that businesses of all sizes maintain basic security standards when processing, storing, or transmitting credit card data. They’re part of the Payment Card Industry Data Security Standard (PCI DSS)—a set of PCI and established by major credit card companies.

Key Terminology

  • Card Data Environment (CDE): Any location where credit card information is processed, stored, or transmitted
  • Cardholder Data: Information printed on the front of a payment card, including the card number and cardholder name
  • Payment Application: Software that stores, processes, or transmits cardholder data
  • Service Provider: A third-party company that provides services related to payment processing

How It Relates to Your Business

Every business that accepts credit card payments must complete an SAQ annually. The type of SAQ you need depends on how your business processes credit card transactions. For example:

  • If you only process payments online through a third-party service like PayPal or Stripe, you’ll need a different SAQ than a retail store with physical card readers
  • If you store credit card information on your systems, you’ll face more stringent requirements than businesses that don’t store any card data

Why It Matters

Business Implications

Completing the correct SAQ demonstrates to your payment processor, acquiring bank, and customers that you take payment security seriously. This isn’t just about checking a box—it’s about building trust and protecting your business reputation.

Risk of Non-Compliance

Businesses that fail to complete the appropriate SAQ or choose the wrong one may face:

  • Fines ranging from $5,000 to $100,000 per month until compliance is achieved
  • Increased transaction fees imposed by payment processors
  • Loss of credit card processing privileges, which could devastate your business
  • Liability for fraud losses if a breach occurs
  • Damage to business reputation and customer trust

Benefits of Compliance

On the flip side, proper PCI compliance offers significant benefits:

  • Protection from data breaches through improved security practices
  • Reduced liability in case of fraud incidents
  • Lower processing fees from some payment processors
  • Enhanced customer confidence in your business
  • Competitive advantage over non-compliant competitors

Step-by-Step Guide

What You Need to Get Started

Before determining your SAQ type, gather the following information:

1. Payment methods you accept (online, in-person, phone, mail)
2. Payment processing setup (third-party services, direct merchant account, etc.)
3. Card data storage practices (do you store any credit card information?)
4. Transaction volume (approximate number of card transactions per year)

Clear Actionable Steps

Step 1: Identify Your Payment Channels
List all the ways customers can pay you with credit cards:

  • Website checkout
  • In-store card readers
  • Phone orders
  • Mail-in payments
  • Mobile payments

Step 2: Determine Your Processing Method
For each payment channel, identify whether you:

  • Use a third-party payment service (PayPal, Square, Stripe, etc.)
  • Have direct integration with a payment processor
  • Use standalone card terminals
  • Process cards manually (imprint machines, etc.)

Step 3: Assess Data Storage
Honestly evaluate whether your business:

  • Stores credit card numbers in any system or file
  • Keeps copies of receipts with full card numbers
  • Has any backup systems that might contain card data

Step 4: Review Your Setup Against SAQ Criteria
Based on your answers above, match your situation to the appropriate SAQ:

  • SAQ A: E-commerce businesses using third-party payment services with no card data storage
  • SAQ A-EP: E-commerce businesses with partially outsourced payment processing
  • SAQ B: Businesses using standalone card terminals with no electronic storage
  • SAQ B-IP: Businesses using standalone terminals connected to the internet
  • SAQ C-VT: Businesses processing payments through virtual terminals
  • SAQ C: Businesses with payment applications connected to the internet
  • SAQ D: Businesses that don’t fit other categories or have complex environments

Step 5: Verify Your Choice
Review the official SAQ instructions document for your chosen type to ensure it matches your business environment exactly.

Timeline Expectations

  • Research and assessment: 1-2 hours
  • SAQ completion: 2-8 hours depending on complexity
  • Implementation of any required changes: 1-4 weeks
  • Annual renewal: Plan to start the process 60 days before your compliance deadline

Common Questions Beginners Have

“What if my business fits multiple SAQ types?”
Choose the most restrictive SAQ that applies to your situation. When in doubt, it’s better to err on the side of caution with a more comprehensive assessment.

“Can I switch SAQ types if my business changes?”
Yes, you should reassess your SAQ type whenever you change payment processing methods, add new payment channels, or modify how you handle card data.

“What if I’m not sure about my technical setup?”
Contact your payment processor or the company that set up your payment systems. They should be able to explain exactly how transactions are processed in your environment.

“Do I need to hire an expert to complete my SAQ?”
Many businesses can complete simpler SAQs (like SAQ A) themselves. However, more complex environments may benefit from professional assistance.

Mistakes to Avoid

Common Beginner Errors

Choosing SAQ A When You Don’t Qualify
SAQ A is the simplest questionnaire, but it has strict requirements. You only qualify if you completely outsource payment processing and never store, process, or transmit card data on your systems.

Assuming Outsourcing Means No Responsibility
Even when using third-party payment services, you still have compliance responsibilities. Make sure you understand what your service provider covers and what remains your responsibility.

Ignoring All Payment Methods
Don’t focus only on your primary payment method. If you accept phone orders even occasionally, this affects your SAQ choice.

Guessing About Data Storage
Many businesses unknowingly store card data in backup files, email systems, or old databases. Conduct a thorough search before assuming you don’t store any card information.

How to Prevent These Mistakes

  • Read the official SAQ instructions carefully before making your selection
  • Document your payment processes to ensure you haven’t missed anything
  • Ask your payment service providers about their PCI compliance responsibilities
  • Conduct a data discovery scan to identify any stored card data

What to Do If You Make Them

If you realize you’ve chosen the wrong SAQ:
1. Don’t panic—mistakes happen and can be corrected
2. Complete the correct SAQ as soon as possible
3. Implement any additional security requirements from the new SAQ
4. Update your compliance documentation with your payment processor
5. Consider consulting with a PCI expert if you’re still uncertain

Getting Help

When to DIY vs. Seek Help

DIY is appropriate when:

  • You have a simple payment setup (e.g., only online payments through PayPal)
  • Your business clearly fits SAQ A or B criteria
  • You’re comfortable reading technical documentation
  • You have time to research and implement requirements

Seek professional help when:

  • You process more than 20,000 online transactions annually
  • You have multiple payment channels or complex integrations
  • You store any payment card information
  • You’re uncertain about your technical environment
  • You’ve experienced compliance issues in the past

Types of Services Available

PCI Compliance Scanning Services: Automated tools that check your systems for vulnerabilities and help with SAQ completion.

Compliance Consultants: Experts who can assess your environment, recommend the correct SAQ, and help implement necessary security measures.

Managed Compliance Services: Full-service providers that handle your entire PCI compliance program, including SAQ completion and ongoing monitoring.

How to Evaluate Providers

Look for providers who:

  • Have relevant PCI certifications (QSA, ASV, etc.)
  • Offer transparent pricing
  • Provide ongoing support, not just one-time assessments
  • Have experience with businesses similar to yours
  • Can explain complex concepts in terms you understand

Next Steps

What to Do After Reading

1. Use the SAQ selection criteria provided in this guide to identify your most likely SAQ type
2. Download the official SAQ from the PCI Security Standards Council website
3. Review the detailed requirements to confirm your selection
4. Create a compliance timeline with deadlines for completion
5. Gather any documentation you’ll need to complete the assessment

Related Topics to Explore

  • Understanding PCI DSS Requirements: Learn about the underlying security standards
  • Payment Tokenization: Discover how to reduce your compliance scope
  • Incident Response Planning: Prepare for potential security breaches
  • Employee Security Training: Ensure your team understands their role in compliance

Resources for Deeper Learning

  • PCI Security Standards Council official website
  • Your payment processor’s compliance resources
  • Industry-specific PCI guidance documents
  • Local cybersecurity organizations and training programs

FAQ

Q: How often do I need to complete an SAQ?
A: SAQs must be completed annually, though some businesses may need to complete them more frequently if required by their payment processor or acquiring bank.

Q: What happens if I can’t complete my SAQ by the deadline?
A: Contact your payment processor immediately to discuss your situation. Late completion often results in fines, but communication can sometimes help minimize penalties while you work toward compliance.

Q: Can I use last year’s SAQ answers for this year’s assessment?
A: While previous answers can serve as a reference, you must reassess your environment each year. Payment processes, systems, and requirements can change, making old answers potentially inaccurate.

Q: Do I need to complete an SAQ if I only accept cash and checks?
A: No, SAQs are only required for businesses that accept payment cards (credit cards, debit cards, prepaid cards). However, if you plan to accept cards in the future, it’s wise to understand the requirements in advance.

Q: What’s the difference between PCI compliance and SAQ completion?
A: Completing an SAQ is just one part of PCI compliance. You must also implement the security measures described in the SAQ, maintain them throughout the year, and potentially undergo vulnerability scanning.

Q: Can I complete multiple SAQs if my business has different divisions?
A: Generally, you complete one SAQ that covers your entire card data environment. However, if you have completely separate payment processing systems for different business units, you may need separate assessments. Consult with a PCI expert for complex situations.

Conclusion

Determining the right SAQ for your business doesn’t have to be overwhelming. By understanding your payment processing environment, honestly assessing your data handling practices, and carefully reviewing the official criteria, you can confidently select the appropriate questionnaire.

Remember that PCI compliance is an ongoing process, not a one-time event. The security practices you implement to meet SAQ requirements will protect your business and customers year-round, making the effort worthwhile from both a compliance and business security perspective.

The most important step is Auto Dealership. Even if you’re not 100% certain about your choice, beginning the assessment process will help clarify your requirements and move you toward compliance.

Ready to determine which SAQ your business needs? Try our free PCI SAQ Wizard tool at PCICompliance.com. This interactive tool asks simple questions about your payment processing setup and provides personalized recommendations for your SAQ type. Plus, you’ll get access to expert guidance and affordable compliance tools to help you complete your assessment and maintain ongoing compliance. Start your compliance journey today and protect your business with confidence.

PCICompliance.com helps thousands of businesses achieve and maintain PCI DSS compliance with affordable tools, expert guidance, and ongoing support.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP