How many controls does SAQ C have?

160 controls in PCI DSS v4.0 SAQ C. This is materially more than SAQ B-IP (82 controls) and SAQ P2PE (33 controls), and much less than SAQ D-Merchant (329 controls). The SAQ C control set covers the full PCI DSS Requirements 1-12 but at reduced depth versus SAQ D, with particular focus on network security (Requirement 1), patch management (Requirement 6), and access control (Requirements 7, 8). The 160 controls take typical merchants 3 to 6 weeks of internal effort to evidence and complete.

Can a SAQ C merchant migrate to SAQ B-IP?

Yes, by deploying network segmentation that isolates the POS system from other network activity. If the POS PC is moved onto a dedicated VLAN with no internet access other than to the payment processor, and the merchant no longer uses the same PC for general internet activity, the SAQ classification can move to SAQ B-IP (standalone IP-connected terminal equivalent). The hardware investment for segmentation runs $200 to $1,500 per location (managed switch, dedicated router, configuration time). The annual SAQ cost saving runs $800 to $3,000, so the segmentation typically pays back in the first compliance cycle.

Does SAQ C require ASV scanning?

Yes. Quarterly external ASV vulnerability scanning is required for all SAQ C merchants because the in-scope systems have internet exposure. ASV scanning runs $400 to $1,500 per year for the typical SAQ C merchant. The scans cover the internet-facing IP of the POS environment plus any other in-scope systems with internet exposure. SAQ C also requires internal vulnerability scanning, which is typically performed by the merchant using open-source or commercial tools rather than by a PCI ASV.

Does SAQ C require a penetration test?

Not at the SAQ C tier directly. PCI DSS Requirement 11 penetration testing applies to SAQ D merchants and to higher-volume Level 1 and Level 2 merchants. SAQ C merchants are exempt from the formal pen testing requirement, though some acquirers may require it for merchants in higher-risk industry sectors regardless of SAQ type. The penetration testing exemption is the largest cost saving versus SAQ D for SAQ C merchants.

How long does SAQ C take to complete?

Three to six weeks end to end for first-time SAQ C completion: scoping and CDE inventory (1 to 2 weeks), evidence collection and gap identification (2 to 3 weeks), remediation of identified gaps (2 to 6 weeks depending on severity, often the longest phase for first-time engagements), SAQ completion (1 week), and acquirer submission (1 week). Renewals are faster at typically 1 to 3 weeks because scope and evidence templates carry forward.

SAQ pricing

PCI SAQ C cost 2026: POS-on-internet pricing read

Q: Who needs SAQ C?

Merchants with a payment application system connected to the internet, where the payment application is not isolated from other systems on the merchant's network. The typical SAQ C merchant runs POS software (Aloha, Micros, NCR, Toast on a PC) on a Windows or Linux PC that is connected to the internet for software updates, email, or web browsing. If the POS PC is segregated from other systems and connects to the internet only for payment processing, SAQ B-IP or SAQ P2PE may apply instead. The distinction is whether the POS environment is meaningfully isolated.

SAQ C applies to merchants with a payment application system connected to the internet without meaningful network segmentation. At 160 controls and $1,500 to $6,000 per year, it sits between SAQ B-IP and SAQ D in cost. The migration to SAQ B-IP through network segmentation is the obvious cost-reduction conversation for most SAQ C merchants.

Updated April 2026

Annual cost

$1,500 - $6,000

Including ASV scanning and consultant assist

Controls

160

Reduced depth across all 12 PCI DSS requirements

Qualifies

POS PC on internet, no segmentation

The SAQ C qualification criteria

SAQ C applies to merchants with payment application systems connected to the internet, where the payment system is not isolated from other systems on the merchant's network. The typical SAQ C scenario is a restaurant or retailer running POS software (Aloha, Micros, NCR, Toast on a PC, MICROS Symphony, Lightspeed Restaurant POS) on a Windows or Linux PC that is connected to the internet for software updates, email, web browsing by staff, or general office productivity in addition to payment processing.

The qualification test is whether the POS environment shares network connectivity with other systems that have unrestricted internet access. If yes, SAQ C applies. If the POS environment is meaningfully isolated (dedicated VLAN, dedicated network segment with restrictive firewall rules, dedicated PC used only for POS), the merchant may qualify for SAQ B-IP (standalone IP-connected terminal equivalent) or SAQ P2PE (if using a validated P2PE solution). The cost gap between SAQ C and SAQ B-IP is roughly $800 to $3,000 per year, and the cost gap between SAQ C and SAQ P2PE is roughly $1,100 to $4,500 per year, so the segmentation investment is consistently worth evaluating.

The PCI SSC SAQ Instructions and Guidelines contains the formal qualification criteria. For merchants on the boundary between SAQ B-IP and SAQ C, the qualification decision is worth confirming with a consultant or QSA at the $500 to $2,000 one-off cost before committing to the more expensive SAQ pathway.

SAQ C cost decomposition

Cost component	Lower band	Upper band
SAQ C completion with consultant assist	$1,000 - $2,500	$3,000 - $5,000
ASV quarterly scanning	$400 - $800	$1,000 - $1,500
Internal vulnerability scanning tools	$0 (open-source)	$1,000 - $3,000/yr
Patch management and configuration tooling	$0 (built-in OS)	$500 - $2,000/yr
Year 1 remediation (one-off)	$500 - $2,000	$2,000 - $5,000

Anchored to consulting rate cards from regional PCI specialists and ASV pricing from SecurityMetrics, Qualys, and similar providers. The lower band is realistic for a merchant with strong existing IT discipline; the upper band reflects merchants needing more remediation work.

The SAQ B-IP migration cost-benefit

For SAQ C merchants, the single highest-leverage cost-reduction conversation is whether the POS environment can be segmented to qualify for SAQ B-IP. The segmentation requirements: the POS PC must be on a dedicated network segment, restricted to outbound connections only to the payment processor's IP range and the POS vendor's update server, with no general internet browsing capability. The PC must be used only for POS functions; if staff use the PC for email or web browsing, the segmentation does not qualify.

The hardware investment runs $200 to $1,500 per location: a managed switch capable of VLAN segmentation ($150 to $500), a small firewall or router with restrictive ACLs ($50 to $400), configuration time ($200 to $600 if outsourced to a network consultant). The annual SAQ cost saving runs $800 to $3,000 per year by moving from SAQ C ($1,500 to $6,000) to SAQ B-IP ($800 to $3,000).

For multi-location merchants, the segmentation investment scales linearly per location but the annual SAQ saving also scales because most acquirer-portal SAQ products price per attestation per location. A 20-location retailer typically saves $16,000 to $60,000 per year by migrating from SAQ C to SAQ B-IP, against a one-off segmentation investment of $4,000 to $30,000. The migration pays back in the first compliance cycle even at the upper investment band.

When SAQ C is the right choice

SAQ C is the right SAQ type when the operational reality of the merchant's payment environment does not realistically support tighter segmentation. A small restaurant where the POS PC is also used by the manager for email and supplier ordering, where staff use the PC for shift scheduling and labour reports, where the network architecture does not have managed switches or VLAN capability, is genuinely a SAQ C environment. Pretending otherwise to attest to SAQ B-IP risks misclassification and acquirer challenge.

For these merchants, SAQ C is the legitimate path and the $1,500 to $6,000 annual cost is the appropriate compliance investment. The cost can be further optimised by completing SAQ C through an acquirer-portal product (SecurityMetrics, ControlScan via TSYS or Worldpay) rather than direct consultant engagement, which typically prices at the lower band of the cost range.

The other path worth considering is migration to a P2PE-validated terminal (qualifying the merchant for SAQ P2PE at 33 controls and $400 to $1,500 per year). The P2PE terminal cost runs $200 to $800 per terminal incremental versus a non-P2PE terminal, but the SAQ saving and the descoping benefit (cardholder data never decrypts on the merchant's network) is dramatic for any merchant with more than 3 to 5 terminals.

Read the official PCI SAQ C document

The PCI SSC publishes SAQ C v4.0 in the official document library. The 160 controls are listed in full with the qualification criteria.

PCI SSC document library →

Frequently asked

PCI SAQ C completion runs $1,500 to $6,000 per year for the typical merchant on this SAQ type. Direct purchase with consultant assist falls at the lower end ($1,500 to $3,500); inclusion of ASV scanning, basic security tooling, and quarterly compliance review pushes the upper band ($4,000 to $6,000). SAQ C is materially more expensive than SAQ B-IP ($800 to $3,000) and dramatically cheaper than SAQ D ($5,000 to $20,000). The cost premium versus SAQ B-IP reflects the additional network segmentation and patch management evidence the auditor will require.

SAQ A cost

$300 to $1,000 for hosted-checkout e-commerce.

SAQ D cost

$5k to $20k for the full-scope self-assessment.

SAQ P2PE cost

$400 to $1,500 for validated P2PE terminal merchants.

Reduce PCI costs

Seven proven cost-reduction strategies.

Level 3 PCI cost

Where SAQ C typically fits in the level taxonomy.

ASV + pen test cost

ASV scanning is required for SAQ C.