Completed Wrong SAQ

The Bottom Line Up Front

If you completed the wrong SAQ for your PCI compliance, don’t panic — you’re not the first business to choose the wrong questionnaire, and fixing it is usually straightforward. The most common mistake is selecting an SAQ that’s either too complex (like choosing SAQ D when you qualify for SAQ A) or too simple (selecting SAQ A when your actual payment setup requires SAQ C). Here’s what you need to know to identify which SAQ you should have completed and how to fix the situation without starting from scratch.

For most small businesses, PCI compliance is simpler than it sounds. Your payment processor sent you that compliance questionnaire because the card brands require it, but chances are you qualify for one of the easier SAQ types that take just an hour or two to complete. Let’s demystify this process and get you compliant with the right questionnaire.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) exists for one reason: to protect credit card data from theft. If you accept Visa, Mastercard, American Express, or Discover payments — whether in person, online, or over the phone — these standards apply to your business.

The major card brands created PCI DSS through an organization called the PCI Security Standards Council (PCI SSC). They don’t enforce it directly, though. Your acquirer (the bank that processes your card payments) or payment processor (like Square, Stripe, or your merchant services provider) handles enforcement. That’s who sent you the compliance questionnaire.

Here’s what happens if you’re not compliant:

• Your processor can fine you monthly (typically $25-$500 for small merchants)
• If there’s a breach, you’re liable for fraud costs and forensic investigations
• In extreme cases, you could lose the ability to accept credit cards

But here’s the good news: most small businesses qualify for the simplest SAQ types, which ask basic questions like “Do you have a firewall?” and “Do you limit access to payment systems?” You’re not building Fort Knox — you’re following common-sense security practices.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes.

It doesn’t matter if you process one transaction a month or thousands daily. The moment you accept a credit card payment — swiped, dipped, tapped, typed, or spoken over the phone — PCI DSS applies to your business.

Your merchant level determines how you validate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete an SAQ (Self-Assessment Questionnaire) instead of hiring a QSA for a full assessment.

Your payment processor expects you to:

• Complete the right SAQ annually
• Run quarterly vulnerability scans if you have any internet-facing systems
• Submit your AOC (Attestation of Compliance) to prove completion
• Fix any security gaps the process identifies

That compliance questionnaire they sent? It’s their way of saying “time to prove you’re protecting cardholder data.” The email might seem intimidating with all its acronyms and deadlines, but completing it is usually simpler than preparing your business taxes.

Which SAQ Do You Need?

The most common reason businesses complete the wrong SAQ is not understanding which one matches their payment setup. Here’s the decision tree in plain language:

Common Payment Scenarios

How You Accept Payments	SAQ Type	Complexity	Typical Questions
Redirect to PayPal/Stripe (customer never enters card on your site)	SAQ A	Simplest	~20 questions
E-commerce with payment fields on your site (even if hosted)	SAQ A-EP	Simple	~140 questions
Standalone terminal only (Square, Clover, traditional terminal)	SAQ B	Simple	~40 questions
Terminal + computer on same network	SAQ B-IP	Moderate	~80 questions
Manual card entry into computer/virtual terminal	SAQ C-VT	Moderate	~80 questions
Take payments over phone only	SAQ C	Moderate	~140 questions
Store card numbers or complex setup	SAQ D	Complex	~340 questions
Point-to-point encryption validated solution	SAQ P2PE	Simple	~35 questions

If you use a payment terminal like Square Reader, Clover, or a traditional credit card machine that’s not connected to your computer network, you likely need SAQ B. If that terminal connects to your office network or computer, bump up to SAQ B-IP.

If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe, or any setup where customers are redirected completely away from your site to pay, you qualify for SAQ A — the simplest one. But if payment fields appear on your site (even in an iframe), you need SAQ A-EP.

If you take payments over the phone and type them into a web-based virtual terminal or payment software, that’s SAQ C-VT. Taking phone payments only? SAQ C.

If you store card numbers in any form — spreadsheets, customer database, CRM, accounting software — you’re stuck with SAQ D. This is where PCI compliance gets genuinely complex. Consider stopping this practice immediately.

Not sure which applies? PCICompliance.com offers a free SAQ Wizard that asks about your payment setup in plain language and tells you exactly which questionnaire you need. It takes less than five minutes and prevents the frustration of completing the wrong one.

How to Complete Your SAQ

Once you’ve identified the right SAQ, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. Here’s what to expect:

What “Yes” Really Means
When you answer “yes” to a question like “Are system passwords changed regularly?” you’re stating that you actually do this, can prove it if asked, and will continue doing it. You’re not just hoping or planning — you’re confirming current practice.

Documentation You’ll Need

• Network diagram (can be hand-drawn for simple setups)
• List of who has access to payment systems
• Written security policies (templates are fine)
• Firewall configuration screenshots
• Evidence of quarterly password changes
• Vendor compliance certificates (from payment providers)

The Quarterly ASV Scan
If your SAQ type requires it (most do except SAQ A and B), you’ll need quarterly ASV (Approved Scanning Vendor) scans. These automated scans check your internet-facing systems for vulnerabilities. Schedule your first one as soon as possible — it can take a few rounds to pass if issues are found. PCICompliance.com includes ASV scanning with our platform, making this requirement painless.

Submitting Your Compliance
After completing your SAQ:
1. Generate your AOC (Attestation of Compliance) — this proves completion
2. Submit both documents to your payment processor
3. Save copies for your records
4. Set calendar reminders for next year

The entire process typically takes 2-4 hours for simple SAQ types, including gathering documentation.

What It Costs

Let’s talk real numbers so you can budget appropriately:

Compliance Platform and Tools

• Self-service SAQ platforms: $100-$300 annually
• Guided compliance platforms: $300-$1,000 annually
• Full-service with expert support: $1,000-$3,000 annually

Quarterly ASV Scanning

• Standalone ASV service: $100-$300 per scan
• Bundled with compliance platform: often included
• Remediation support: $100-$500 per hour if needed

If You Need a QSA

• Level 1 merchants or complex service providers require QSA assessments
• On-site assessment: $15,000-$50,000+
• Most small businesses never need this

The Cost of NON-Compliance

• Monthly non-compliance fees: $25-$500
• After a breach: $50-$90 per compromised card
• Forensic investigation: $10,000-$100,000
• Lost ability to process cards: business-ending

For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and customers.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:

Annual Requirements

• Complete your SAQ every 12 months
• Review and update security policies
• Train staff on payment security basics
• Verify vendor compliance hasn’t lapsed

Quarterly Requirements

• Run ASV scans (if required by your SAQ type)
• Review user access lists
• Check for system updates and patches
• Rotate passwords for payment systems

What Triggers a New Assessment

• Changing payment processors
• Adding new payment channels (like adding e-commerce to retail)
• Modifying how you handle card data
• Major network infrastructure changes

PCICompliance.com’s compliance dashboard tracks all these dates and requirements for you. You’ll get reminders before deadlines, alerts if your status changes, and a clear view of what’s needed to maintain compliance throughout the year.

FAQ

Q: What happens if I already submitted the wrong SAQ?
A: Contact your payment processor to explain the mistake. Most are understanding if you’re proactively fixing it. Complete the correct SAQ and resubmit with an explanation. You typically won’t face penalties if you correct it promptly.

Q: How do I know for sure which SAQ I need?
A: Use PCICompliance.com’s free SAQ Wizard or call your payment processor’s compliance department. Describe exactly how you accept payments and they’ll confirm the right questionnaire. When in doubt, document your payment flow and ask for guidance.

Q: Can I just pick the easiest SAQ to save time?
A: No — selecting an incorrect SAQ leaves you non-compliant and liable if there’s a breach. Your processor can also reject your submission if it doesn’t match your merchant account setup. Always choose the SAQ that accurately reflects your payment methods.

Q: What if my business uses multiple payment methods?
A: You complete the SAQ for your most complex payment channel. If you have both e-commerce (SAQ A) and phone orders (SAQ C-VT), you’d complete SAQ C-VT. The more complex SAQ covers all simpler scenarios.

Q: How long do I have to complete PCI compliance?
A: Your processor sets the deadline, typically 30-90 days from notification. Missing it usually triggers monthly non-compliance fees. Start immediately — even complex SAQs can be completed in a few days with focused effort.

Q: Do I need to hire a consultant?
A: Most small businesses don’t need consultants for SAQ completion. If you’re SAQ D or struggling with technical requirements, expert help can save time and ensure accuracy. PCICompliance.com provides built-in guidance that eliminates the need for most consultants.

Q: What if I fail my ASV scan?
A: Failed scans are common on first attempts. The report shows exactly what needs fixing — usually software updates or firewall adjustments. Fix the issues and rescan. You’re only non-compliant if you don’t address the findings within reasonable timeframes.

Q: Can I claim I don’t store card data if I really do?
A: Never lie on your SAQ — it’s legally binding. If discovered, you face immediate non-compliance, potential card brand fines, and full liability for any breaches. If you’re storing card data, either stop the practice or complete the appropriate SAQ D.

Take Control of Your PCI Compliance

Discovering you completed the wrong SAQ is frustrating, but it’s entirely fixable. Most businesses find they actually qualify for a simpler SAQ than they initially chose — that SAQ D you struggled with might actually be an SAQ A that takes an hour.

The key is understanding your actual payment setup and choosing the right questionnaire. Once you’re on the correct SAQ, maintaining compliance becomes a manageable part of running your business, not an annual nightmare.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never wonder if you’re compliant or when your next deadline is. Start with the free SAQ Wizard to confirm your correct SAQ type, or talk to our compliance team if you need guidance untangling your current situation. We’ve helped thousands of merchants fix their compliance approach, and we can help you too.