SAQ pricing

PCI SAQ A cost 2026: hosted-checkout e-commerce pricing read

SAQ A is the cheapest PCI Self-Assessment Questionnaire at $300 to $1,000 per year. Qualifying requires fully outsourcing all cardholder data functions, typically through Stripe Checkout, PayPal hosted, or similar full-redirect integration. For e-commerce merchants who can qualify, this is the genuinely cheapest path to PCI compliance.

Updated April 2026

Annual cost

$300 - $1,000

Bundled with ASV: $200-$500/yr

Requirements

~24

Smallest SAQ (v4.0.1)

Qualifies

Fully outsourced hosted-checkout e-commerce

The SAQ A qualification decision tree

SAQ A applies to e-commerce merchants who fully outsource cardholder data functions to a PCI DSS validated third party. The merchant's website must not capture, transmit, or store cardholder data in any form. The payment page must be served entirely by the third-party service provider on their domain, not iframed or embedded on the merchant's domain. Crucially, the merchant's domain must not contain any JavaScript that interacts with the card-capture experience, including form fields that the user types into before being redirected.

The qualification test in plain English: when a customer goes to pay, does the browser navigate to a URL on the payment processor's domain (Stripe checkout.stripe.com, PayPal paypal.com, etc.) where the card form is entered, before returning to the merchant's domain? If yes, SAQ A. If the card form appears inside the merchant's domain in any way (iframe, embedded JavaScript SDK, custom field overlay), SAQ A-EP applies regardless of what processor the card data ultimately flows to. The PCI SSC was explicit about this in PCI DSS v4.0 SAQ A guidance and the distinction has been litigated through multiple acquirer disputes.

Common SAQ A qualifying patterns: Stripe Checkout (full redirect), PayPal Standard Checkout, Adyen Hosted Checkout, Worldpay Hosted Payment Page, Braintree Hosted Fields when configured as full redirect. Common SAQ A-EP patterns (not qualifying for SAQ A): Stripe Elements, Stripe.js, Braintree Drop-in UI, Adyen Drop-in, any custom iframe integration. Shopify Payments configured as fully hosted = SAQ A; Shopify with a third-party gateway = depends on integration mode.

SAQ A cost decomposition

Cost componentDirect purchaseBundled with ASV
SAQ A attestation$300 - $1,000/yrIncluded in bundle
ASV quarterly scanning$100 - $500/yrIncluded in bundle
Bundled SAQ A + ASV productNot applicable$200 - $500/yr
Acquirer-portal SAQ A (TSYS, Worldpay, etc.)Often included in processingOften $0 incremental
Pen testingNot required for SAQ ANot required
Req 6.4.3 script monitoringNot required for SAQ ANot required

Processor-by-processor SAQ A mapping

Stripe: SAQ A with Stripe Checkout (full redirect to checkout.stripe.com), Stripe-hosted invoice payments, or Stripe-hosted payment links. SAQ A-EP with Stripe Elements, Stripe.js, or any custom payment form that lives on your domain. Confirm via the Stripe Dashboard PCI tab which SAQ type Stripe recommends for your integration.

PayPal: SAQ A with PayPal Standard Checkout (redirect-based), PayPal Express Checkout (popup window served by PayPal). SAQ A-EP with PayPal Advanced Checkout (embedded UI) or any custom integration. Braintree (PayPal's developer-focused brand) follows similar mapping: Braintree-hosted = SAQ A, Drop-in UI or custom Braintree integration = SAQ A-EP.

Adyen: SAQ A with Adyen Hosted Checkout. SAQ A-EP with Adyen Drop-in or custom Adyen integration. Shopify: SAQ A with Shopify Payments configured as the default checkout. Depends on integration for third-party gateways routed through Shopify; consult Shopify Payments documentation for the specific SAQ recommendation per gateway. Square: SAQ A for most Square Online merchants; Square Terminal merchants use SAQ B-IP or SAQ P2PE depending on terminal type.

What can go wrong with SAQ A

The most common SAQ A error is misclassification. Merchants self-attest to SAQ A when their integration actually requires SAQ A-EP. This typically surfaces only after a breach when the acquirer's post-incident review identifies the misclassification, at which point the merchant faces both the breach response cost and the regulatory consequences of inaccurate attestation. The PCI SSC has been explicit about the qualification criteria, and acquirers have shown increasing willingness to challenge SAQ A attestations during routine compliance review.

Mitigate this by confirming the SAQ type explicitly during the integration with your payment processor. Stripe, Braintree, Adyen, and the other major processors all publish per-integration SAQ recommendations in their developer documentation. When in doubt, ask the processor's compliance team in writing which SAQ type they recommend for your specific integration mode. The 30-minute conversation is worth the certainty.

The second common error is forgetting third-party scripts on the checkout page. PCI DSS v4.0.1 made this explicit: effective 31 March 2025, the revised SAQ A removed the specific technical requirements 6.4.3 and 11.6.1 (payment-page script management and tamper detection) but added a new eligibility criterion in their place. To validate via SAQ A, the merchant must now confirm that its entire website (not just the payment page) is not susceptible to attacks from scripts that could affect the e-commerce system. A checkout page that loads marketing tags, analytics scripts, or chat widgets that could interact with the cardholder data flow can put that confirmation at risk and push you to SAQ A-EP. This is no longer a hypothetical future tightening; it is the current standard. Keep checkout pages minimal and inventory every script that loads on them.

Read the official PCI SAQ A document

The PCI SSC publishes SAQ A v4.0 in the official document library. Reading the actual SAQ before completing it confirms eligibility.

PCI SSC document library

Frequently asked

PCI SAQ A completion costs $300 to $1,000 per year for the typical small to mid-market e-commerce merchant. Bundled with ASV quarterly scanning through SecurityMetrics or similar SMB-focused providers, the total annual cost runs $200 to $500. Standalone SAQ A completion through a consultant runs $500 to $2,000 depending on consultant rate and scope of evidence review. SAQ A is the cheapest PCI Self-Assessment Questionnaire and is the genuinely cheapest legitimate path to PCI compliance for any e-commerce merchant who can qualify.

Continue reading