white printed paper

SAQ A-EP vs SAQ D

by

SAQ A-EP vs SAQ D: A Beginner’s Guide to Choosing the Right Compliance Path

Introduction

What You’ll Learn

If you’re new to PCI compliance and wondering whether you need to complete SAQ A-EP or SAQ D, you’re not alone. These two Self-Assessment Questionnaires (SAQs) often cause confusion for business owners who accept credit card payments online. This guide will help you understand the key differences between SAQ A-EP and SAQ D, determine which one applies to your business, and take the right steps toward compliance.

Why This Matters

Choosing the correct SAQ isn’t just about checking boxes—it directly impacts your business operations, security requirements, and the time and resources you’ll need to invest in compliance. The difference between SAQ A-EP (with 191 requirements) and SAQ D (with 329 requirements) is significant, potentially saving you months of work and thousands of dollars if you qualify for the simpler option.

Who This Guide Is For

This guide is designed for:

  • Small to medium business owners who accept payments online
  • E-commerce managers new to PCI compliance
  • IT professionals tasked with compliance but unfamiliar with PCI DSS
  • Anyone confused about which SAQ their business needs to complete

The Basics

Core Concepts Explained Simply

PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules that any business accepting credit cards must follow to protect customer payment information.

SAQ means Self-Assessment Questionnaire. It’s a form you fill out to show you’re following the security rules. Different types of businesses use different SAQs based on how they handle payments.

SAQ A-EP is designed for e-commerce merchants who outsource all payment processing to validated third parties. The “EP” stands for “Ecommerce/Mail Order-Telephone Order.”

SAQ D is the most comprehensive questionnaire, designed for merchants who store, process, or transmit cardholder data in any electronic format and don’t qualify for simpler SAQs.

Key Terminology

  • Cardholder Data: The sensitive payment information on a credit card (card number, expiration date, etc.)
  • Payment Gateway: A service that securely transmits payment data between your website and the payment processor
  • Tokenization: Replacing sensitive card data with a unique identifier that has no value if stolen
  • Merchant Account: Your business bank account that receives credit card payments

How It Relates to Your Business

Your SAQ type determines:

  • How many security controls you need to implement
  • The complexity of your compliance process
  • Annual compliance costs
  • The level of IT infrastructure required
  • How often you need to assess your security

Why It Matters

Business Implications

Choosing the wrong SAQ can lead to:

  • Over-compliance: Implementing unnecessary security controls that waste resources
  • Under-compliance: Missing critical security requirements that leave you vulnerable
  • Failed assessments: Having to redo compliance work, causing delays and extra costs

Getting it right means:

  • Appropriate security for your actual risk level
  • Efficient use of resources
  • Faster path to compliance
  • Lower ongoing maintenance costs

Risk of Non-Compliance

Non-compliance with PCI DSS can result in:

  • Fines: Between $5,000 and $100,000 per month from payment brands
  • Increased transaction fees: Non-compliant businesses pay higher rates
  • Loss of payment acceptance: Card brands can revoke your ability to accept cards
  • Data breach liability: Average cost of a breach exceeds $4 million
  • Reputation damage: Lost customer trust can devastate your business

Benefits of Compliance

Beyond avoiding penalties, compliance provides:

  • Customer confidence: Shoppers trust secure businesses
  • Competitive advantage: Many customers prefer PCI-compliant merchants
  • Reduced fraud: Proper security significantly decreases fraud attempts
  • Business continuity: Avoid disruptions from security incidents
  • Peace of mind: Know you’re protecting your customers properly

Step-by-Step Guide

Step 1: Understand Your Payment Flow

Map out exactly how payments work in your business:
1. Where do customers enter their card information?
2. Does your website ever see or touch the actual card numbers?
3. Who processes the payments?
4. Where is card data stored (if anywhere)?

Step 2: Determine SAQ A-EP Eligibility

You may qualify for SAQ A-EP if ALL of these are true:

  • Your e-commerce website doesn’t directly receive cardholder data
  • Customers are redirected to a third-party payment page
  • The payment processor is PCI DSS validated
  • You don’t store any cardholder data electronically
  • Your website properly implements the redirect (no card data passes through)

Step 3: Determine If SAQ D Applies

You likely need SAQ D if ANY of these are true:

  • Your website directly collects card information
  • You store cardholder data in any electronic format
  • You have a complex payment environment with multiple channels
  • You don’t qualify for any other SAQ type
  • You process payments through your own systems

Step 4: Gather Documentation

For either SAQ, you’ll need:

  • Network diagrams showing payment data flow
  • List of all payment acceptance methods
  • Contracts with payment service providers
  • Current security policies and procedures
  • Asset inventory of systems handling payments

Timeline Expectations

  • SAQ A-EP: Most businesses complete initial compliance in 1-3 months
  • SAQ D: Expect 6-12 months for first-time compliance
  • Annual reassessment: Both require yearly updates, taking 1-4 weeks if maintained properly

Common Questions Beginners Have

“My payment processor says they’re compliant—aren’t I covered?”

Not entirely. While using a compliant processor helps, you’re still responsible for your part of the payment process. Think of it like home security—having a secure bank doesn’t mean you can leave your doors unlocked.

“Can I switch from SAQ D to SAQ A-EP?”

Yes! Many businesses modify their payment processes to qualify for simpler SAQs. Common changes include:

  • Implementing payment page redirects
  • Removing local card data storage
  • Upgrading to tokenization
  • Outsourcing call center operations

“Do I really need to do this if I’m a small business?”

Yes, PCI compliance applies to all businesses that accept payment cards, regardless of size. However, smaller businesses often qualify for simpler SAQs and may have lower compliance costs.

“What if I’m not sure which SAQ applies?”

When in doubt, it’s better to ask for help than guess. Using the wrong SAQ can invalidate your compliance efforts. Many businesses start with professional guidance to ensure they’re on the right track.

Mistakes to Avoid

Common Beginner Errors

1. Assuming the simplest SAQ applies: Wishful thinking doesn’t equal compliance
2. Ignoring payment data flow: Not understanding where card data goes
3. Forgetting about phone/mail orders: These can change your SAQ type
4. Incomplete implementation: Starting SAQ A-EP processes but not finishing the technical setup
5. Documentation gaps: Having security measures but no proof

How to Prevent Them

  • Map everything: Document all ways you accept payments
  • Verify technical implementations: Test that redirects work properly
  • Review annually: Business changes can affect your SAQ type
  • Keep records: Document all compliance activities
  • Get confirmation: Verify your payment processor’s compliance status

What to Do If You Make Them

  • Don’t panic: Mistakes are correctable
  • Stop and reassess: Determine the correct SAQ before proceeding
  • Fix gaps quickly: Address any security vulnerabilities immediately
  • Document corrections: Show you’ve addressed the issues
  • Consider help: Professional guidance can save time and prevent future errors

Getting Help

When to DIY vs. Seek Help

Consider DIY if:

  • You clearly qualify for SAQ A-EP
  • You have IT staff familiar with security
  • Your payment process is simple
  • You have time to learn compliance requirements

Seek professional help if:

  • You’re unsure which SAQ applies
  • You need SAQ D compliance
  • You lack technical security expertise
  • Compliance deadlines are tight
  • You’ve failed previous assessments

Types of Services Available

  • Compliance consultants: Provide expertise and guidance
  • Managed security providers: Handle technical implementations
  • QSA companies: Offer formal assessments for larger merchants
  • Compliance software platforms: Automate documentation and tracking
  • Payment facilitators: May include compliance support

How to Evaluate Providers

Look for:

  • PCI DSS expertise: Specific experience with your SAQ type
  • Clear pricing: Understand all costs upfront
  • Ongoing support: Compliance isn’t one-and-done
  • References: Talk to similar businesses they’ve helped
  • Technology tools: Modern platforms make compliance easier

Next Steps

What to Do After Reading

1. Assess your current payment setup: Map out how you accept payments
2. Identify your likely SAQ type: Use the criteria provided
3. Evaluate your resources: Determine if you need external help
4. Create a timeline: Set realistic compliance deadlines
5. Start documentation: Begin gathering required information

Related Topics to Explore

  • Network segmentation: Reducing PCI scope
  • Tokenization: Eliminating stored card data
  • Security awareness training: Preparing your team
  • Vulnerability scanning: Required technical testing
  • Incident response planning: Preparing for security events

Resources for Deeper Learning

  • PCI Security Standards Council website: Official source for all SAQs
  • Payment brand compliance programs: Specific requirements from Visa, Mastercard, etc.
  • Industry compliance guides: Sector-specific recommendations
  • Security frameworks: NIST, ISO 27001 for broader context

FAQ

Q: How much does SAQ A-EP compliance typically cost versus SAQ D?

A: SAQ A-EP compliance typically costs $1,000-$5,000 annually for most small businesses, including tools and basic support. SAQ D can range from $10,000-$50,000+ in the first year due to extensive security requirements and often requires ongoing professional support.

Q: can I use SAQ A-EP if I also take phone orders?

A: Yes, but only if you also outsource phone payment processing to a PCI-compliant provider and never write down or electronically store card details. If you process phone payments differently, you may need SAQ C or SAQ D.

Q: What happens if I choose the wrong SAQ?

A: You’ll likely fail your compliance assessment and need to start over with the correct SAQ. This can delay compliance by months and potentially expose you to fines or increased processing fees during the gap.

Q: How often do I need to recomplete my SAQ?

A: Annually at minimum, or whenever your payment processes change significantly. Many businesses review quarterly to ensure ongoing compliance.

Q: Is SAQ A-EP really that much easier than SAQ D?

A: Yes, significantly. SAQ A-EP has 138 fewer requirements and focuses mainly on policies and procedures rather than technical controls. Most businesses can complete SAQ A-EP in a fraction of the time needed for SAQ D.

Q: Can I switch payment processors to qualify for SAQ A-EP?

A: Potentially, yes. Many modern payment processors offer solutions specifically designed to qualify merchants for SAQ A-EP. Look for providers offering hosted payment pages or iframe solutions with proper isolation.

Conclusion

Understanding the difference between SAQ A-EP and SAQ D is crucial for your business’s PCI compliance journey. While SAQ D offers the most comprehensive security coverage, it requires significantly more resources and expertise. SAQ A-EP provides a streamlined path for eligible e-commerce businesses, reducing both complexity and costs while maintaining strong security.

Remember, choosing the right SAQ isn’t about finding the easiest option—it’s about accurately reflecting how your business handles payment data. When you match your SAQ to your actual payment processes, compliance becomes a manageable part of doing business rather than an overwhelming burden.

The good news is that regardless of which SAQ applies to your business, achieving compliance is absolutely possible with the right approach and resources.

Ready to determine which SAQ your business needs? Try our free PCI SAQ Wizard tool at PCICompliance.com. In just a few minutes, you’ll know exactly which compliance path is right for you and can start your journey with confidence. Our platform helps thousands of businesses achieve and maintain PCI DSS compliance with affordable tools, expert guidance, and ongoing support. Don’t guess—know for certain which SAQ you need and take the first step toward protecting your business and customers today.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP