a person is filling out a form with a pen

When to Use N/A on SAQ

by

When to Use N/A on SAQ

The Good News About PCI Compliance

If you just received a PCI compliance questionnaire from your payment processor and you’re wondering when to use NA on your SAQ, here’s the reassuring truth: for most small businesses, PCI compliance is far simpler than it initially appears. You don’t need to answer “yes” to every question, and many sections might not apply to your business at all — that’s exactly when you’ll use “N/A” (not applicable).

Think of your Self-Assessment Questionnaire (SAQ) like a tax form — you only fill out the sections that apply to your specific situation. Just as you’d skip the farming income section if you don’t own a farm, you’ll mark “N/A” for PCI requirements that don’t match how your business handles credit cards.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) exists for one simple reason: to protect credit card data from theft. If your business accepts Visa, Mastercard, American Express, or Discover — whether in person, online, or over the phone — these rules apply to you.

The major card brands created these standards through the PCI Security Standards Council (PCI SSC), but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) makes sure you’re following the rules. They’re the ones who sent you that compliance questionnaire.

Why This Matters to Your Business

Non-compliance carries real consequences:

  • Fines from your processor (typically $5,000-$100,000 per month until you comply)
  • Personal liability if customer card data gets stolen
  • Loss of card processing privileges — you literally can’t accept credit cards anymore
  • Breach costs that average $150,000+ for small businesses

But here’s the good news: most small businesses qualify for the simplest SAQ types, which you can complete in an afternoon. The key is knowing which requirements actually apply to you — and marking the rest as “N/A.”

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million — the moment you accept a credit card payment, you’re required to protect that data according to PCI standards.

Your Merchant Level

Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). This is good news — Level 4 merchants complete an SAQ rather than undergo a full onsite assessment.

What Your Payment Processor Expects

Your payment processor sent you that questionnaire because they’re required to verify your compliance annually. They need:

  • A completed Self-Assessment Questionnaire (SAQ) — the right type for your business
  • An Attestation of Compliance (AOC) — basically your signature saying the SAQ is accurate
  • Quarterly vulnerability scans if you have any internet-facing systems (we’ll explain this)
  • Proof you’ve completed these requirements by their deadline

Which SAQ Do You Need?

Choosing the right SAQ is crucial — it determines which questions you’ll answer and which you’ll mark as “N/A.” Here’s how to identify yours:

How You Accept Payments SAQ Type Complexity
Redirect customers to PayPal, Stripe Checkout, or similar SAQ A Simplest (22 questions)
E-commerce site with payment fields on your page SAQ A-EP Simple (139 questions)
Standalone terminal (Square, Clover) with no computer connection SAQ B Simple (41 questions)
Terminal connected to internet/computer SAQ B-IP Moderate (82 questions)
Take payments over the phone SAQ C-VT Moderate (84 questions)
Manual card entry into computer/website SAQ C Complex (160 questions)
Store card numbers (please stop!) SAQ D Very Complex (329 questions)

Not sure which one? PCICompliance.com’s SAQ Wizard asks you five simple questions about how you accept payments and tells you exactly which SAQ to use.

Real-World Examples

  • Coffee shop with a Square terminal: SAQ B or B-IP
  • Shopify store: SAQ A (Shopify handles all the card data)
  • Restaurant taking phone orders: SAQ C-VT
  • Medical office storing card numbers in their system: SAQ D (and they should stop)

How to Complete Your SAQ

Your SAQ is a series of yes/no questions about your security practices. Here’s the key insight: you only answer questions that apply to your payment setup. Everything else gets marked “N/A.”

What “N/A” Really Means

When you mark a question as “N/A,” you’re stating: “This requirement doesn’t apply because my business doesn’t have/do/use this.” For example:

  • No e-commerce website? Mark all website security questions as N/A
  • Don’t store card numbers? Mark all data storage questions as N/A
  • Use cloud-based terminals only? Mark server and network questions as N/A

Documentation You’ll Need

Before starting your SAQ, gather:

  • Payment processing statements (to confirm your merchant level)
  • Network diagram if you have computers/networks (can be simple)
  • Vendor compliance certificates (your payment provider’s AOC)
  • Security policies if the SAQ requires them (templates are fine)

The Quarterly ASV Scan

If your SAQ type requires it (mainly for e-commerce), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). Don’t panic — this is:

  • Automated (the scanner does the work)
  • Non-invasive (it doesn’t affect your website)
  • Usually included with compliance platforms
  • Required every 90 days

Submitting Your Compliance

Once complete:
1. Sign your Attestation of Compliance (AOC)
2. Submit both SAQ and AOC to your payment processor
3. Schedule quarterly scans if required
4. Save copies for your records

What It Costs

Let’s be honest about the real costs:

Compliance Platform and Tools

  • Basic SAQ tools: Free to $30/month
  • Full compliance platforms: $50-200/month
  • Enterprise solutions: $500+/month

Quarterly ASV Scanning

  • Standalone scanning: $100-300/quarter
  • Bundled with platform: Often included
  • Remediation support: May cost extra

If You Need a QSA

Most small merchants don’t need a Qualified Security Assessor (QSA), but if you do:

  • SAQ review: $500-2,000
  • Full assessment: $10,000-50,000
  • Consulting: $150-300/hour

The Cost of NON-Compliance

  • Monthly fines: $5,000-100,000
  • Breach costs: Average $150,000+
  • Lost business: Immeasurable
  • Legal liability: Varies by state

Bottom line: Annual compliance for most small merchants costs less than a single month of non-compliance fines.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly milestones.

Your Compliance Calendar

  • Annually: Complete SAQ and AOC
  • Quarterly: Run ASV scans (if required)
  • Monthly: Review any flagged vulnerabilities
  • Ongoing: Maintain security practices

What Triggers a New Assessment

  • Changing payment processors
  • Adding new payment channels (like starting e-commerce)
  • Significant business changes (new locations, systems)
  • Moving to a different SAQ type

Making It Simple

PCICompliance.com’s compliance dashboard tracks all your deadlines, stores your documentation, and sends reminders before anything expires. You’ll never wonder “when was my last scan?” or scramble to find last year’s SAQ.

FAQ

Q: Can I just mark everything as N/A to make it easier?

A: No — marking N/A when something actually applies is considered false attestation and can result in larger fines than non-compliance. Only use N/A for requirements that genuinely don’t apply to how your business handles card payments. When in doubt, ask your processor or a QSA.

Q: What happens if I don’t know whether something applies?

A: Start by reading the requirement’s guidance text — it usually explains exactly what situations it covers. If you’re still unsure, contact your payment processor’s support team or use PCICompliance.com’s guided SAQ tool, which explains each requirement in plain English.

Q: My processor says I need SAQ D, but I don’t store card numbers. What’s wrong?

A: This is common — processors often default to SAQ D when they don’t have enough information. Contact them to explain your actual payment setup. You may need to complete a payment flow diagram showing you don’t store card data. Most merchants can qualify for a simpler SAQ type.

Q: Do I need to hire a security consultant to complete my SAQ?

A: Most small merchants don’t need outside help for SAQ A, A-EP, B, or B-IP. These questionnaires are designed for self-completion. If you’re facing SAQ C or D, or if you’re struggling with technical requirements, a few hours of consulting might save you time and ensure accuracy.

Q: How do I know if my payment processor is PCI compliant?

A: Ask them for their service provider AOC. All payment processors must maintain their own PCI compliance and should readily provide this documentation. If they can’t or won’t, consider switching processors — their non-compliance could affect your liability.

Q: What’s the difference between “N/A” and “No” on the SAQ?

A: “N/A” means the requirement doesn’t apply to your business at all. “No” means it does apply but you’re not currently meeting it — which requires creating a remediation plan. Always use N/A when the requirement genuinely doesn’t apply to avoid unnecessary work.

Q: Can I use last year’s SAQ answers?

A: While your answers might be similar, you must complete a fresh assessment annually. Business practices, payment methods, and security controls can change. Plus, the SAQ questions occasionally update. Review each question carefully rather than copying old answers.

Q: What if I fail my ASV scan?

A: Don’t panic — failing vulnerabilities are common and usually fixable. Your ASV report will explain what needs fixing. Address critical and high-risk findings first, then rescan. Most platforms include free rescans, and support teams can help interpret technical findings.

Your Path to PCI Compliance Starts Here

When you understand which requirements actually apply to your business — and can confidently mark the rest as N/A — PCI compliance becomes manageable. You’re not trying to meet every requirement in the standard; you’re only responsible for the ones that match how you actually handle credit cards.

PCICompliance.com makes this process even simpler. Our free SAQ Wizard identifies exactly which questionnaire you need based on your actual payment methods. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard tracks your progress year-round, sending reminders before deadlines and storing all your documentation in one secure place. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools, guidance, and support to achieve and maintain PCI compliance without the confusion. Start with our free SAQ Wizard to identify your questionnaire type, or talk to our compliance team about your specific situation.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP