All Tools

PCI DSS SAQ Finder

Answer a few questions about how your business handles payment card data and find out which PCI DSS v4.0 Self-Assessment Questionnaire applies to you, and what it requires.

What this SAQ generally requires

    This is a directional guide, not a final determination. The correct SAQ depends on the exact way cardholder data is stored, processed, and transmitted across every channel you use, and your acquiring bank has the final say. Merchant level, set by annual transaction volume, also determines whether an SAQ is sufficient or whether a Report on Compliance by a Qualified Security Assessor is required. If you use more than one acceptance channel, you may need to cover multiple SAQs or complete SAQ D. Always confirm with your acquirer or a QSA before validating.

    Questions

    What is a PCI DSS SAQ?

    A Self-Assessment Questionnaire is a validation tool that eligible merchants and service providers use to self-assess PCI DSS compliance. Which SAQ you complete depends on how you accept and handle cardholder data. The main types are A, A-EP, B, B-IP, C, C-VT, P2PE, and D.

    Which SAQ is the shortest?

    SAQ A is the shortest and applies to card-not-present merchants who fully outsource all cardholder data handling to PCI DSS compliant third parties. SAQ D is the most extensive and covers nearly all PCI DSS requirements; it applies to merchants who store cardholder data or do not qualify for any other SAQ.

    Does storing card data change my SAQ?

    Yes. If you electronically store cardholder data on systems you control, you generally must complete SAQ D regardless of channel, and you take on the full scope of protecting that stored data. Avoiding storage is the single biggest way to reduce PCI scope.

    Do transaction volumes matter too?

    Yes. Your merchant level, set by your acquirer based on annual transaction volume, determines whether an SAQ is sufficient or whether a full Report on Compliance by a Qualified Security Assessor is required. Always confirm the exact SAQ and level with your acquiring bank.

    Is this tool free?

    Yes, it is free with no signup and nothing you select is sent anywhere. It gives a directional read; your acquiring bank or a QSA confirms the final SAQ. If you want help scoping and completing it, our team can guide the process.

    Not ready for a call yet?

    Get the compliance playbook

    A few short notes from Jacob on cutting PCI scope and validating without the pain. No fluff, unsubscribe in one click. Reply anytime; it reaches him directly.

    From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.

    Want it done for you?

    PCI DSS Readiness

    We scope your card data environment and get you validated on the right SAQ.

    Explore PCI DSS Readiness →

    Need to validate PCI DSS?

    We scope your cardholder data environment, cut it down where we can, pick the right SAQ, and get you validated, coordinating with your acquirer or QSA. Turn this answer into a plan.

    See PCI DSS Readiness Book a call