How many controls does SAQ D-Service Provider have?

347 controls in PCI DSS v4.0 SAQ D-Service Provider, 18 more than SAQ D-Merchant (329 controls). The additional controls cover service-provider-specific requirements: sub-merchant management and onboarding, customer evidence provision (so the service provider's customers can use the SP's compliance evidence to support their own attestation), multi-tenant access control where multiple customers share the SP's infrastructure, and customer-facing security incident notification. The 347 controls take typical SPs 3 to 5 months of internal effort to evidence and complete.

What is customer evidence provision for SAQ D-SP?

Service providers handling cardholder data on behalf of merchants must provide their customers with evidence that the SP's environment is PCI-compliant. The typical artifacts: a copy of the SP's Attestation of Compliance (AOC), a Responsibility Matrix showing which PCI controls the SP handles versus which the customer must handle, and a Customer Security Brief summarising the SP's security posture for customer vendor-risk-management teams. Customers use this evidence to support their own PCI attestation when relying on the SP for in-scope services. The evidence provision workload is often the largest operational difference between SAQ D-Merchant and SAQ D-SP.

When does SAQ D-SP become Level 1 SP ROC?

When the service provider processes more than 300,000 transactions per year per any single card brand. Visa, Mastercard, AmEx, and Discover each set their own service-provider thresholds, but 300,000 per brand per year is the typical floor. Above the threshold, the SP must engage a Qualified Security Assessor for a full Level 1 service provider Report on Compliance, which is materially more expensive ($40,000 to $150,000 typical) and is a multi-month engagement. The transition is the single largest cost step in the service provider compliance taxonomy.

Do SAQ D-SP organisations need a penetration test?

Yes. PCI DSS Requirement 11 penetration testing applies fully to SAQ D-SP organisations. Annual external pen testing runs $10,000 to $30,000 for typical SP environments (higher than the SAQ D-Merchant range because SP environments are typically more complex). Annual internal pen testing runs $10,000 to $25,000. Segmentation validation testing (every 6 months if segmentation is used) runs $5,000 to $15,000. The total pen testing programme cost for an active SAQ D-SP organisation typically runs $25,000 to $70,000 per year, sometimes the largest single line item in the compliance budget.

How long does SAQ D-SP take to complete?

Three to six months end to end for first-time SAQ D-SP completion. The phases: scoping and CDE inventory (3 to 6 weeks, longer than SAQ D-Merchant because of multi-tenant complexity), evidence collection and gap identification (6 to 12 weeks), remediation of identified gaps (4 to 16 weeks, often the longest phase), SAQ completion and consultant review (3 to 6 weeks), customer evidence package preparation (2 to 4 weeks, unique to SAQ D-SP), and acquirer submission (1 to 2 weeks). Renewals are faster at typically 2 to 4 months.

SAQ pricing

SAQ D Service Provider cost 2026: payment-adjacent SP pricing read

Q: Who needs SAQ D-Service Provider?

Organisations providing payment-related services to merchants where the service touches cardholder data, transaction volume is below 300,000 per year per card brand. Typical SAQ D-SP organisations: payment gateways, payment-page hosting services, fraud screening services receiving raw cardholder data, recurring billing service providers managing card-on-file for merchant customers, marketplace platforms operating sub-merchant funds flow, white-label payment processing platforms, payment terminal management services. Once any card brand transaction volume exceeds 300,000 per year, the obligation moves to Level 1 SP ROC regardless of SAQ D-SP eligibility.

SAQ D-SP applies to payment gateways, payment-page hosting services, fraud screening services, and similar payment-adjacent service providers handling cardholder data on behalf of merchant customers, below the 300,000 transaction per year threshold. At $8,000 to $25,000 per year and 347 controls, it is the most expensive SAQ type, and the path to a full Level 1 SP ROC is one transaction-volume milestone away.

Updated April 2026

Annual cost

$8k - $25k

SAQ completion; full programme $25k-$80k

Controls

347

18 more than SAQ D-Merchant

Upgrade trigger

300k tx/year per brand → Level 1 SP ROC

Who qualifies as a service provider for PCI

The PCI service provider definition is broader than many organisations realise. Service providers include any organisation that stores, processes, or transmits cardholder data on behalf of another entity, or any organisation that could impact the security of cardholder data even if it does not directly handle the data. Common SAQ D-SP organisations: payment gateways (Stripe at high volume, Adyen at high volume, smaller regional gateways), payment-page hosting services, fraud screening services that receive raw cardholder data for pattern matching, recurring billing service providers managing card-on-file, marketplace platforms operating sub-merchant funds flow, white-label payment processing platforms, payment terminal management services, and PCI compliance management platforms that handle merchant customer data.

Less obvious SAQ D-SP organisations include hosting providers whose customers run payment applications on the hosted infrastructure (where the hosting provider's security posture directly affects the customer's PCI scope), managed service providers operating customer payment environments, cloud service providers offering PCI-in-scope services (AWS, Azure, GCP all maintain their own AOCs that customers reference for PCI scope inheritance), and software-as-a-service products whose features touch cardholder data handling even tangentially.

The service provider designation is contractual: it is established through the merchant agreement between the SP and the merchant customer. SPs whose contracts explicitly disclaim handling of cardholder data may not require PCI compliance, though the PCI SSC's interpretation has tightened over time and acquirers increasingly require SP compliance evidence from any organisation whose service could plausibly affect cardholder data security. When in doubt, treat the obligation as applicable and complete SAQ D-SP rather than risk acquirer challenge.

SAQ D-SP cost decomposition

Cost component	Lower band	Upper band
SAQ D-SP completion (consultant-led)	$8,000 - $15,000	$18,000 - $25,000
External penetration test (annual)	$10,000 - $20,000	$20,000 - $30,000
Internal penetration test (annual)	$10,000 - $15,000	$15,000 - $25,000
Segmentation validation (every 6 months)	$5,000 - $10,000	$10,000 - $15,000
ASV quarterly scanning	$1,500 - $3,000	$3,000 - $8,000
Customer evidence package preparation	$2,000 - $5,000	$5,000 - $15,000
Year 1 remediation (one-off)	$10,000 - $25,000	$25,000 - $75,000+

The full SAQ D-SP programme typically lands at $50,000 to $120,000 in year one and $35,000 to $80,000 in renewal years. The remediation line item is the most variable and depends heavily on the SP's pre-engagement security maturity.

The customer evidence provision workload

The single operational difference that distinguishes SAQ D-SP from SAQ D-Merchant is the customer evidence provision obligation. Service providers must provide their merchant customers with evidence that the SP's environment is PCI-compliant, in a form the customer can use to support their own attestation. The typical evidence package: a copy of the SP's Attestation of Compliance (AOC), a Responsibility Matrix mapping each in-scope PCI control to either the SP or the customer (so the customer knows which controls they still own), and a Customer Security Brief summarising the SP's security posture, breach history, and incident response capability.

For SPs with hundreds or thousands of merchant customers, the evidence provision workload is non-trivial. Best-practice SPs publish their AOC, Responsibility Matrix, and Security Brief on a customer-facing trust portal where customers can self-serve the documents. SPs without a trust portal end up handling individual customer requests through sales or compliance email channels, often at significant labour cost. The trust portal approach (often built on top of compliance automation platforms like Vanta Trust Center, Drata Trust Center, or Secureframe Trust Hub) is the typical $5,000 to $15,000 per year investment that pays back through reduced manual evidence-request handling.

The Responsibility Matrix in particular is a customer-facing document that captures considerable effort. For complex SP services with significant shared-responsibility surface area (hosting providers, cloud service providers, full-stack payment processing platforms), the Responsibility Matrix can run 50+ pages with detailed control-by-control mapping. Building the matrix once and keeping it current is materially cheaper than reactive responses to individual customer questions.

Three concrete SAQ D-SP scenarios

Scenario one. A B2B SaaS recurring billing platform processing 75,000 transactions per year on behalf of 50 merchant customers, single-region AWS deployment, card data tokenised through Stripe with the SaaS storing only tokens. Year-one total: $35,000 to $55,000. SAQ D-SP completion $12,000 to $18,000, external pen test $12,000, internal pen test $10,000, ASV scanning $2,000, customer evidence package preparation $3,000 to $5,000, year-one remediation $5,000 to $10,000. Renewal years drop to $25,000 to $40,000.

Scenario two. A fraud screening service processing 200,000 transactions per year across 300 merchant customers, multi-region cloud deployment, raw cardholder data received for pattern matching with retention limited to 30 days. Year-one total: $60,000 to $90,000. SAQ D-SP completion $15,000 to $20,000, pen tests $30,000 to $40,000 (multi-region scope), ASV scanning $3,000, customer trust portal $10,000 to $15,000 to manage the 300 customer evidence requests, year-one remediation $10,000 to $20,000.

Scenario three. A marketplace platform with 250,000 transactions per year handling sub-merchant funds flow, complex multi-tenant architecture, approaching the 300,000 transaction per brand threshold. Year-one total: $80,000 to $120,000. Full SAQ D-SP programme with planning workstream for Level 1 SP ROC transition in year 2 or 3. The platform should engage a QSA for SAQ D-SP completion (rather than a non-QSA consultant) so the same firm can carry forward to the Level 1 SP ROC engagement, saving 15 to 25 percent on the year-2 ROC versus a fresh QSA engagement.

Read the official PCI SAQ D-SP document

The PCI SSC publishes SAQ D-Service Provider v4.0 in the official document library. All 347 controls and the service-provider-specific requirements are listed in full.

PCI SSC document library →

Frequently asked

SAQ D-Service Provider completion runs $8,000 to $25,000 per year for the typical service provider. The cost premium versus SAQ D-Merchant ($5,000 to $20,000) reflects the additional 18 controls (347 vs 329) covering service-provider-specific requirements, plus the customer-facing evidence provision workload. Full programme cost including pen testing, ASV scanning, internal scanning, and tooling runs $25,000 to $80,000 per year for active SAQ D-SP service providers. Once transaction volume exceeds 300,000 per year per any single card brand, the obligation moves to a full Level 1 service provider Report on Compliance at $40,000 to $150,000.

SAQ D-Merchant cost

The merchant-side equivalent at $5k-$20k.

SAQ A cost

The simplest SAQ, for context on the SP-vs-merchant tier difference.

Level 1 PCI cost

Where the Level 1 SP ROC transition lands.

Coalfire PCI cost

QSA option for SAQ D-SP plus Level 1 SP ROC continuity.

A-LIGN PCI cost

Multi-framework efficiency for SP plus SOC 2 plus ISO 27001.

Reduce PCI costs

Scope reduction strategies for SP environments.