This article and FAQ include contributions from GraVoc’s in-house PCI QSA, Brian Carey, who provided expert guidance on PCI SAQ A and SAQ D to help merchants understand compliance requirements and best practices.
When choosing a PCI compliance self-assessment questionnaire (SAQ), many businesses struggle to determine whether PCI SAQ A or PCI SAQ D is the right fit. PCI SAQ A applies to merchants that fully outsource payment processing and never touch cardholder data, while PCI SAQ D applies to merchants that handle, store, or can impact cardholder data and must comply with all PCI DSS requirements.
It’s common for businesses to start with SAQ A because it has fewer requirements, only to eventually discover that their payment environment is more complex and requires SAQ D.
According to GraVoc’s PCI Qualified Security Assessor (QSA), Brian Carey, this confusion typically stems from a limited understanding of how cardholder data (CHD) flows through an eCommerce environment, resulting in an ill-defined PCI scope. Selecting the wrong SAQ can lead to failed compliance assessments, a false sense of security, or costly penalties in the event of a data breach.
In this blog post, we break down the key differences between PCI SAQ A and PCI SAQ D and explain how to select the SAQ that aligns with your business’ payment environment. If you’re looking for a broader foundation, see our overview of all nine PCI SAQ types and eligibility requirements.
What is PCI SAQ A?
PCI SAQ A is designed for merchants that fully outsource payments to a validated third-party payment processor or use a point-to-point encryption (P2PE) solution for in-person payments. These businesses don’t electronically store, transmit, or process any CHD on their systems, and have no programs or application code that capture payment information on their websites.
Here are some examples of merchants that could qualify for SAQ A:
- Merchants who run an eCommerce site using redirected checkout.
- Shops that send customers to Square, Stripe, etc or other processors
- Shops where the payment form is rendered entirely inside an iFrame.
- Brick and mortar shops that use validated P2PE systems only
- Retail shop that uses P2PE payment terminals
What is PCI SAQ D?
PCI SAQ D is the ‘catch-all’ assessment type. It applies to merchants and service providers that store, process, or can otherwise affect the security of CHD or don’t meet the eligibility criteria for any of the other SAQ types.
Here are some examples of merchants that could qualify for SAQ D:
- An eCommerce merchant who has developed their own custom checkout pages.
- An eCommerce merchant who stores credit card data for returning customers.
- A brick-and-mortar merchant with point-of-sale (POS) devices on LAN or wireless networks.
- Merchants with multiple payment channels (web, in store, phone).
What is the difference between PCI SAQ A & SAQ D?
Under PCI DSS 4.0, the difference between PCI SAQ A and PCI SAQ D is primarily based on how cardholder data is handled and the level of security responsibility placed on a business. PCI SAQ A applies to merchants that fully outsource payment processing, meaning card data never enters the merchant’s environment. In contrast, PCI SAQ D is the most comprehensive SAQ and is required for merchants that handle cardholder data directly or do not qualify for any other SAQ type.
Here are the key differences between SAQ A and SAQ D at a glance.
Cardholder data handling
- PCI SAQ A: Payment processing is fully outsourced, and cardholder data never enters the merchant’s environment. For instance, eCommerce merchants using redirected checkout.
- PCI SAQ D: The merchant handles, stores, transmits, or can otherwise impact the security of cardholder data.
Assessment scope
- PCI SAQ A: Very limited scope, covering only a subset of PCI DSS requirements.
- PCI SAQ D: Broad scope, covering all 12 PCI DSS requirements.
Security responsibilities
- PCI SAQ A: Focuses on restricting physical access to cardholder data and maintaining an information security policy
- PCI SAQ D: Requires full implementation of security controls such as network security, access controls, and regular testing.
Effort and cost
- PCI SAQ A: Lower effort and lower cost due to reduced requirements.
- PCI SAQ D: Higher effort and higher cost due to the comprehensive nature of the assessment.
Ultimately, you should choose PCI SAQ A if you fully outsource payment processing and card data never touches your systems. Choose PCI SAQ D if your environment stores, processes, transmits, or can affect cardholder data security. When in doubt, consult a QSA.
What happens if you choose the wrong PCI SAQ?
Ultimately addressing the requirements within an SAQ help you address the risks associated with processing payments.
“If you choose the wrong SAQ, you could have a false sense of security by thinking you are addressing risk appropriately when you may not be. Similarly, if you fill out the wrong SAQ, you could be open to increased fines and fees should payment data get breached during an incident and might involve costly re-evaluation of your security controls. It’s always best to check with a QSA if you have any questions about which SAQ is right for you,” according to Brian.
PCI SAQ A FAQ
Do I need a Qualified Security Assessor (QSA) to complete PCI SAQ A?
No. PCI SAQ A is a self-assessment, meaning a QSA is not required to complete it. However, many merchants choose to work with a QSA to ensure the questionnaire is answered correctly, eligibility criteria are met, and supporting evidence is properly documented.
What happens if I complete SAQ A myself and answer a question incorrectly?
An SAQ is a legal attestation of compliance. If incorrect answers are submitted and your organization experiences a data breach, you may be subject to higher fines, increased transaction fees, or mandatory re-assessment. In some cases, merchants are required to revalidate at a more comprehensive SAQ level.
How long does it take to complete PCI SAQ A?
The time required varies based on preparation and documentation. For merchants with existing security controls and evidence, SAQ A can typically be completed in a few days. First-time assessments or environments lacking documentation may take several weeks to complete.
Can I complete PCI SAQ A if I outsource my IT services to a third party?
Yes. Outsourcing IT services is common and does not disqualify a merchant from SAQ A. However, you are still responsible for compliance and must be able to attest to the security controls implemented by your service providers. A QSA may request to review or speak with those providers as part of the process.
Are vulnerability scans required for PCI SAQ A?
Yes. Under PCI DSS v4.0, merchants completing SAQ A are required to conduct quarterly external vulnerability scans using an Approved Scanning Vendor (ASV). These scans help identify external security weaknesses and are a required component of PCI compliance.
What is the new script-based eligibility requirement for PCI SAQ A under PCI DSS v4.0.1, and who does it apply to?
Under PCI DSS v4.0.1 (effective March 31, 2025), eCommerce merchants using embedded payment forms (iframes) must confirm that their website is not susceptible to attacks from unauthorized or malicious scripts that could compromise the payment flow. Merchants using redirect-based payment pages are exempt from this requirement.
To qualify for SAQ A, merchants must either implement adequate script protection controls or obtain written confirmation from their PCI-compliant payment processor that its embedded solution includes such protections when implemented exactly as instructed.
PCI SAQ D FAQ
Do I need to complete PCI SAQ D or a full Report on Compliance (ROC)?
This depends primarily on your transaction volume and how you are classified by your acquiring bank or payment brands. Most small to mid-sized merchants are eligible to complete SAQ D, while larger merchants with higher transaction volumes may be required to undergo a full ROC performed by a QSA.
What is the difference between an SAQ D Merchant and an SAQ D Service Provider?
The distinction is based on who you process payments for. If you accept card payments for your own goods or services, you are classified as an SAQ D Merchant. If you store, process, or transmit cardholder data on behalf of other entities, you are considered an SAQ D Service Provider, which typically involves additional PCI requirements.
Do I really have to answer all 300+ requirements in SAQ D?
SAQ D is comprehensive by design, but not every requirement applies to every environment. Some controls may be marked “Not Applicable” based on your architecture, technologies, or compensating controls.
What is considered in-scope for a PCI SAQ D assessment?
Scope depends on your specific environment and implementation. In-scope systems may include servers, databases, identity and access management systems, cloud infrastructure, CI/CD pipelines, networking equipment, and supporting processes. In general, any system that stores, processes, transmits, or can impact the security of the Cardholder Data Environment (CDE) is considered in scope.
Do I need a Qualified Security Assessor (QSA) to complete SAQ D?
SAQ D is still considered a self-assessment, so a QSA is not always required. However, some acquirers may mandate QSA involvement, and due to the complexity and risk associated with SAQ D, working with a QSA is often strongly recommended to ensure accuracy and proper scoping.
How long does it take to complete PCI SAQ D?
Organizations should plan for several weeks to complete SAQ D. The process typically includes scoping, evidence collection, control validation, interviews, and documentation. The total duration depends on factors such as environment size, control maturity, system complexity, and organizational readiness.
Can we reduce the scope of an SAQ D assessment?
Yes. Proper network segmentation and architectural design can significantly reduce the size of the Cardholder Data Environment (CDE) and, in turn, the scope of SAQ D.
Still unsure if you qualify for SAQ A or SAQ D?
Talk to GraVoc’s PCI Qualified Security Assessor to accurately scope your payment environment, avoid compliance gaps, and choose the right SAQ. Contact us today to get started!
Related articles
Cyber Risks in Higher Education: Why Universities Need Regular Penetration Testing
We explore cyber risks in higher education and how penetration testing can help universities protect their people, data, and reputation.
Cybersecurity Q&A Series: How to Check if my Business Email Has Been Compromised?
Learn how to check if your business email address has been compromised and what steps to take next to protect your business.
Cybersecurity Q&A Series: How to Detect AI-Generated Phishing Emails?
In this blog post, we break down the behavioral signs that can help you recognize an AI-generated phishing email.