What is Self-Assessment Questionnaire?

SAQs allow smaller merchants to validate PCI DSS compliance without the expense of a full QSA assessment. The correct SAQ type depends entirely on how the merchant processes payment cards. SAQ A is the simplest, for merchants that fully outsource all cardholder data functions to PCI-compliant third parties (like using a hosted payment page). SAQ A-EP applies to e-commerce merchants that outsource payment processing but whose website could affect the security of the transaction. SAQ D is the most comprehensive and applies to any merchant or service provider that does not fit another SAQ category. Selecting the wrong SAQ type is a common compliance mistake — organizations sometimes choose a simpler SAQ than their payment flow warrants, creating a false sense of compliance. To determine the correct SAQ, organizations must accurately document their payment data flow and understand every point where cardholder data could be exposed. Acquiring banks and payment brands may challenge an organization's SAQ selection if a breach occurs and the wrong SAQ was used.