PCI SAQ D cost 2026: full-scope self-assessment pricing read

Who actually needs SAQ D

SAQ D is the comprehensive fallback SAQ type for merchants whose payment environment does not qualify for SAQ A, A-EP, B, B-IP, C, C-VT, or P2PE. The defining characteristic is that the merchant's environment touches cardholder data in some material way: storing card numbers for recurring billing, running a custom payment application that processes card data, or operating a payment environment complex enough that no simpler SAQ category fits the qualification criteria.

Typical SAQ D-Merchant scenarios. A SaaS company storing customer card numbers for subscription auto-renewal where the storage is on the company's own infrastructure rather than tokenised through a payment vendor. A multi-channel retailer operating both in-store P2PE terminals (SAQ P2PE) and an e-commerce custom checkout (SAQ A-EP) where the acquirer requires a single consolidated attestation covering both channels. A marketplace platform with sub-merchant funds flow where the platform handles card data in transit between buyer and seller payment accounts.

Typical SAQ D-Service Provider scenarios. A payment gateway processing card data on behalf of merchant customers. A payment-page hosting service. A fraud screening service that receives raw cardholder data to perform pattern matching. A recurring billing service provider managing card-on-file for merchant customers. A marketplace platform operating sub-merchant onboarding and payment processing. Service providers handling fewer than 300,000 transactions per year per card brand qualify for SAQ D-SP; above that threshold the obligation moves to a full Level 1 service provider Report on Compliance.

SAQ D cost decomposition

The headline SAQ D annual cost range of $5,000 to $20,000 covers the SAQ completion line item only. The full SAQ D programme cost (SAQ plus pen tests plus scanning plus tooling) typically runs $20,000 to $60,000 per year for active SAQ D merchants, materially more than the headline SAQ figure suggests.

The scope-reduction conversation

For most SAQ D merchants, the first compliance investment to consider is not the SAQ D engagement itself but a scope-reduction review. The review costs $1,500 to $5,000 (a half-day to full-day consulting engagement with a PCI specialist) and produces a written recommendation on whether the merchant's environment can be restructured to qualify for a simpler SAQ. For merchants who can move from SAQ D to SAQ A through hosted-checkout migration, the annual saving is $15,000 to $40,000. For merchants who can move from SAQ D to SAQ A-EP through tokenisation, the annual saving is $10,000 to $25,000.

The tokenisation path is the most common scope-reduction route. Implementing tokenisation through Stripe, Braintree, Basis Theory, VGS, or TokenEx replaces stored cardholder data with non-sensitive tokens. The cardholder data storage system moves out of PCI scope entirely. The implementation cost runs $2,000 to $10,000 one-off (typically development time plus vendor onboarding fees), and the annual ongoing tokenisation vendor cost runs $1,000 to $5,000 depending on transaction volume and vendor. The payback against the SAQ saving is typically the first compliance cycle.

The hosted-checkout migration path is the second most common route, particularly for e-commerce SAQ D merchants who built custom checkouts in earlier years and have since seen the SAQ-cost implications. Migrating from a custom checkout to Stripe Checkout, PayPal hosted, or Adyen Drop-in eliminates the custom code entirely and moves the SAQ type to SAQ A. The migration cost runs $5,000 to $25,000 one-off (typically development time to integrate the hosted payment page, including UX rework). The annual saving against SAQ D is dramatic: a merchant moving from $15,000 SAQ D to $500 SAQ A saves $14,500 per year, plus eliminates the $15,000 to $25,000 pen testing line item.

When SAQ D is unavoidable

For some merchants the SAQ D obligation is unavoidable. Service providers (SAQ D-SP) cannot tokenise their way out of the obligation because the service-provider role inherently requires handling card data on behalf of customers. Marketplace platforms operating sub-merchant funds flow are typically structurally SAQ D regardless of tokenisation approach. Custom payment applications used for high-touch B2B sales (where the simplicity of a hosted checkout is incompatible with the sales process) sometimes cannot be migrated without breaking the business model.

For these merchants, the SAQ D investment is appropriate and the optimisation focus moves to engagement efficiency rather than scope reduction. The most effective cost optimisations: multi-year contracts with consulting partners (10 to 18 percent discount typical), evidence collection automation tooling (Vanta, Drata, Sprinto, Secureframe for compliance evidence reduce consulting hours by 30 to 50 percent), and continuous compliance posture maintenance rather than annual scramble (which reduces year-over-year remediation cost dramatically).

The transition from SAQ D-Service Provider to full Level 1 service provider Report on Compliance happens at 300,000 transactions per year per card brand. The cost step is significant: SAQ D-SP at $10,000 to $25,000 versus Level 1 SP ROC at $50,000 to $150,000 for the typical SaaS or fintech service provider. For service providers approaching this threshold, the planning conversation includes both the ROC engagement and the broader operational implications (customer-facing compliance evidence, vendor risk management response time, sales cycle implications of the ROC artifact).