Answer a few questions about how your business handles payment card data and find out which PCI DSS v4.0 Self-Assessment Questionnaire applies to you, and what it requires.
A Self-Assessment Questionnaire is a validation tool that eligible merchants and service providers use to self-assess PCI DSS compliance. Which SAQ you complete depends on how you accept and handle cardholder data. The main types are A, A-EP, B, B-IP, C, C-VT, P2PE, and D.
SAQ A is the shortest and applies to card-not-present merchants who fully outsource all cardholder data handling to PCI DSS compliant third parties. SAQ D is the most extensive and covers nearly all PCI DSS requirements; it applies to merchants who store cardholder data or do not qualify for any other SAQ.
Yes. If you electronically store cardholder data on systems you control, you generally must complete SAQ D regardless of channel, and you take on the full scope of protecting that stored data. Avoiding storage is the single biggest way to reduce PCI scope.
Yes. Your merchant level, set by your acquirer based on annual transaction volume, determines whether an SAQ is sufficient or whether a full Report on Compliance by a Qualified Security Assessor is required. Always confirm the exact SAQ and level with your acquiring bank.
Yes, it is free with no signup and nothing you select is sent anywhere. It gives a directional read; your acquiring bank or a QSA confirms the final SAQ. If you want help scoping and completing it, our team can guide the process.
Not ready for a call yet?
A few short notes from Jacob on cutting PCI scope and validating without the pain. No fluff, unsubscribe in one click. Reply anytime; it reaches him directly.
From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.
Want it done for you?
PCI DSS Readiness
We scope your card data environment and get you validated on the right SAQ.
Explore PCI DSS Readiness →We scope your cardholder data environment, cut it down where we can, pick the right SAQ, and get you validated, coordinating with your acquirer or QSA. Turn this answer into a plan.
See PCI DSS Readiness Book a call