Who qualifies for SAQ A?

E-commerce merchants who fully outsource all cardholder data functions to a PCI DSS validated third-party service provider. The merchant's website must not capture, transmit, or store cardholder data. The payment page must be served by the third party, not by the merchant. Stripe Checkout (full redirect), PayPal hosted, Shopify Payments hosted, Adyen-hosted, and similar fully-outsourced integrations qualify. Stripe Elements, Braintree Drop-in, and any iframe-based integration where the merchant's domain serves the iframe do NOT qualify (these require SAQ A-EP).

How many controls does SAQ A have?

22 controls in PCI DSS v4.0 SAQ A, the smallest of any SAQ type. The controls focus on third-party service provider management, basic security policies, and limited technical controls (because the merchant's environment is largely out of PCI scope). Most controls are completed by attestation rather than evidence collection, which is why SAQ A is so much cheaper and faster than other SAQ types.

Can I do SAQ A if I use Stripe?

Only with Stripe Checkout (the full-redirect product) or Stripe-hosted invoice payments. With Stripe Elements or Stripe.js (embedded payment forms), SAQ A-EP applies because your domain serves the payment form even though Stripe processes the card data. The distinction is whether your domain renders any part of the card-capture experience. Pure redirect = SAQ A. Embedded iframe or form = SAQ A-EP. The PCI SSC was explicit about this distinction in PCI DSS v4.0 SAQ A guidance.

Does SAQ A require ASV scanning?

Yes. Even though SAQ A merchants do not process cardholder data on their environment, they must still complete quarterly external ASV vulnerability scans of any internet-facing infrastructure that is in the cardholder data environment scope. For a typical SAQ A merchant this means the merchant's website infrastructure plus any third-party services in scope. ASV scanning runs $100 to $500 per year through SecurityMetrics or similar providers and is typically bundled with the SAQ A attestation product.

Does SAQ A require a penetration test?

No. SAQ A merchants are exempt from the PCI DSS Requirement 11 penetration testing requirement because the cardholder data environment is out of scope. This is the single largest cost saving versus SAQ A-EP (which does require pen testing at $5,000 to $10,000 per year). Combined with the absence of the Req 6.4.3 script management obligation, SAQ A typically saves merchants $10,000 to $20,000 per year versus SAQ A-EP for the same business volume.

How long does SAQ A take to complete?

One to three days for a typical small e-commerce merchant. SAQ A is the only PCI compliance product that a merchant can genuinely complete in a single afternoon. The questions are largely attestation-based (yes/no answers about service provider relationships and basic security policies) and the evidence requirements are minimal. Most merchants complete SAQ A through their acquiring bank's compliance portal (SecurityMetrics, Trustwave, or similar) and the portal workflow walks through the questions in roughly 1 to 2 hours.

SAQ pricing

PCI SAQ A cost 2026: hosted-checkout e-commerce pricing read

SAQ A is the cheapest PCI Self-Assessment Questionnaire at $300 to $1,000 per year. Qualifying requires fully outsourcing all cardholder data functions, typically through Stripe Checkout, PayPal hosted, or similar full-redirect integration. For e-commerce merchants who can qualify, this is the genuinely cheapest path to PCI compliance.

Updated April 2026

Annual cost

$300 - $1,000

Bundled with ASV: $200-$500/yr

Controls

Smallest of any SAQ type

Qualifies

Fully outsourced hosted-checkout e-commerce

The SAQ A qualification decision tree

SAQ A applies to e-commerce merchants who fully outsource cardholder data functions to a PCI DSS validated third party. The merchant's website must not capture, transmit, or store cardholder data in any form. The payment page must be served entirely by the third-party service provider on their domain, not iframed or embedded on the merchant's domain. Crucially, the merchant's domain must not contain any JavaScript that interacts with the card-capture experience, including form fields that the user types into before being redirected.

The qualification test in plain English: when a customer goes to pay, does the browser navigate to a URL on the payment processor's domain (Stripe checkout.stripe.com, PayPal paypal.com, etc.) where the card form is entered, before returning to the merchant's domain? If yes, SAQ A. If the card form appears inside the merchant's domain in any way (iframe, embedded JavaScript SDK, custom field overlay), SAQ A-EP applies regardless of what processor the card data ultimately flows to. The PCI SSC was explicit about this in PCI DSS v4.0 SAQ A guidance and the distinction has been litigated through multiple acquirer disputes.

Common SAQ A qualifying patterns: Stripe Checkout (full redirect), PayPal Standard Checkout, Adyen Hosted Checkout, Worldpay Hosted Payment Page, Braintree Hosted Fields when configured as full redirect. Common SAQ A-EP patterns (not qualifying for SAQ A): Stripe Elements, Stripe.js, Braintree Drop-in UI, Adyen Drop-in, any custom iframe integration. Shopify Payments configured as fully hosted = SAQ A; Shopify with a third-party gateway = depends on integration mode.

SAQ A cost decomposition

Cost component	Direct purchase	Bundled with ASV
SAQ A attestation	$300 - $1,000/yr	Included in bundle
ASV quarterly scanning	$100 - $500/yr	Included in bundle
Bundled SAQ A + ASV product	Not applicable	$200 - $500/yr
Acquirer-portal SAQ A (TSYS, Worldpay, etc.)	Often included in processing	Often $0 incremental
Pen testing	Not required for SAQ A	Not required
Req 6.4.3 script monitoring	Not required for SAQ A	Not required

Processor-by-processor SAQ A mapping

Stripe: SAQ A with Stripe Checkout (full redirect to checkout.stripe.com), Stripe-hosted invoice payments, or Stripe-hosted payment links. SAQ A-EP with Stripe Elements, Stripe.js, or any custom payment form that lives on your domain. Confirm via the Stripe Dashboard PCI tab which SAQ type Stripe recommends for your integration.

PayPal: SAQ A with PayPal Standard Checkout (redirect-based), PayPal Express Checkout (popup window served by PayPal). SAQ A-EP with PayPal Advanced Checkout (embedded UI) or any custom integration. Braintree (PayPal's developer-focused brand) follows similar mapping: Braintree-hosted = SAQ A, Drop-in UI or custom Braintree integration = SAQ A-EP.

Adyen: SAQ A with Adyen Hosted Checkout. SAQ A-EP with Adyen Drop-in or custom Adyen integration. Shopify: SAQ A with Shopify Payments configured as the default checkout. Depends on integration for third-party gateways routed through Shopify; consult Shopify Payments documentation for the specific SAQ recommendation per gateway. Square: SAQ A for most Square Online merchants; Square Terminal merchants use SAQ B-IP or SAQ P2PE depending on terminal type.

What can go wrong with SAQ A

The most common SAQ A error is misclassification. Merchants self-attest to SAQ A when their integration actually requires SAQ A-EP. This typically surfaces only after a breach when the acquirer's post-incident review identifies the misclassification, at which point the merchant faces both the breach response cost and the regulatory consequences of inaccurate attestation. The PCI SSC has been explicit about the qualification criteria, and acquirers have shown increasing willingness to challenge SAQ A attestations during routine compliance review.

Mitigate this by confirming the SAQ type explicitly during the integration with your payment processor. Stripe, Braintree, Adyen, and the other major processors all publish per-integration SAQ recommendations in their developer documentation. When in doubt, ask the processor's compliance team in writing which SAQ type they recommend for your specific integration mode. The 30-minute conversation is worth the certainty.

The second common error is forgetting third-party scripts on the checkout page. Even if the payment form itself is hosted by Stripe Checkout, a checkout page that loads marketing tags, analytics scripts, or chat widgets that could theoretically interact with the cardholder data flow may still trigger SAQ A-EP under strict interpretation. Most acquirers do not enforce this strictly today, but the PCI SSC v4.0 commentary suggests the distinction will tighten in future versions. Keep checkout pages minimal.

Read the official PCI SAQ A document

The PCI SSC publishes SAQ A v4.0 in the official document library. Reading the actual SAQ before completing it confirms eligibility.

PCI SSC document library →

Frequently asked

PCI SAQ A completion costs $300 to $1,000 per year for the typical small to mid-market e-commerce merchant. Bundled with ASV quarterly scanning through SecurityMetrics or similar SMB-focused providers, the total annual cost runs $200 to $500. Standalone SAQ A completion through a consultant runs $500 to $2,000 depending on consultant rate and scope of evidence review. SAQ A is the cheapest PCI Self-Assessment Questionnaire and is the genuinely cheapest legitimate path to PCI compliance for any e-commerce merchant who can qualify.

SAQ D cost

$5k to $20k for the full-scope self-assessment.

SAQ C cost

$1.5k to $6k for POS-on-internet merchants.

SAQ P2PE cost

$400 to $1,500 for validated P2PE terminal merchants.

Level 3 PCI cost

Where SAQ A migration delivers the biggest saving.

SecurityMetrics PCI cost

The bundled SAQ A + ASV product.

Reduce PCI costs

Seven proven cost-reduction strategies.