PCI SAQ Types: Which Self-Assessment Questionnaire Do You Need?

The PCI Self-Assessment Questionnaire (SAQ) is how most merchants demonstrate compliance. But there are 9 different SAQ types, ranging from 22 questions (SAQ A) to 347 questions (SAQ D for service providers). Choosing the wrong SAQ wastes money and effort. Use our interactive wizard below to find the right one, then read the detailed comparison to understand costs and requirements for each type.

Last verified: April 2026

SAQ Selector Wizard

Answer three simple questions about how you accept payments, and we will tell you which SAQ type applies to your business. This tool covers the most common merchant scenarios.

Question 1 of 3

How do you accept card payments?

All 9 SAQ Types Compared

The table below compares all nine PCI SAQ types. The right SAQ for your business depends on how you accept payments, whether you store card data, and what technologies you use. Choosing a simpler SAQ by changing your payment integration can save thousands of dollars annually -- see our cost reduction strategies page for specific guidance.

SAQ Type	Who It Is For	Questions	Estimated Cost	Time	Difficulty
SAQ A	Card-not-present merchants using fully hosted payment pages (redirect)	22	$300 – $1,000	1-3 days	Low
SAQ A-EP	E-commerce merchants with website that affects payment page security (iframe/JS)	191	$2,000 – $8,000	2-6 weeks	Medium-High
SAQ B	Merchants using imprint machines or standalone dial-out terminals only	41	$500 – $2,000	1-2 weeks	Low
SAQ B-IP	Merchants using standalone IP-connected POS terminals (no electronic card data storage)	82	$800 – $3,000	2-4 weeks	Medium
SAQ C	Merchants with payment application systems connected to the internet	160	$1,500 – $6,000	3-6 weeks	Medium
SAQ C-VT	Merchants manually entering single transactions via virtual terminal on isolated computer	79	$800 – $2,500	1-3 weeks	Medium
SAQ D (Merchant)	All merchants not qualifying for any other SAQ type	329	$5,000 – $20,000	2-4 months	High
SAQ D (Service Provider)	Service providers eligible to self-assess	347	$8,000 – $25,000	3-6 months	High
SAQ P2PE	Merchants using validated P2PE hardware terminals only	33	$400 – $1,500	1-2 weeks	Low

SAQ A: The Simplest Path to Compliance

SAQ A is the gold standard for small merchants seeking the easiest, cheapest path to PCI compliance. With only 22 questions and no requirement for vulnerability scanning or penetration testing, SAQ A can be completed in as little as one hour. The key requirement is that you must fully outsource all payment processing to a PCI DSS compliant third-party provider using a redirect (your customer leaves your website and enters card data on the provider's site) or a hosted payment page.

Common payment integrations that qualify for SAQ A include Stripe Checkout (full redirect mode), PayPal Standard, Shopify Payments, Square Online, and WooCommerce with PayPal or Stripe Checkout redirect. The critical distinction is that card data must never pass through your systems -- not even temporarily. If your website loads JavaScript from the payment provider that renders the payment form on your domain (like Stripe Elements), you likely need SAQ A-EP instead.

Cost Savings Opportunity

Switching from SAQ D ($5,000-$20,000/year) to SAQ A ($300-$1,000/year) can save $4,700-$19,000 annually. For most small e-commerce businesses, the only change required is switching from a custom payment form to a hosted checkout redirect. See cost reduction strategies for implementation guidance.

SAQ D: When You Cannot Avoid the Full Assessment

SAQ D is the most comprehensive self-assessment questionnaire, covering all 12 PCI DSS requirements with 329 questions for merchants or 347 for service providers. If you store, process, or transmit cardholder data and do not qualify for any other SAQ type, SAQ D is your default. This typically applies to merchants with custom payment integrations, those who store card data for recurring billing without using tokenization, and service providers who handle card data on behalf of other organisations.

Completing SAQ D typically takes 2-4 months for the first time and requires cross-departmental collaboration. Most organisations engage a PCI consultant ($500-$5,000) to assist with SAQ D completion and gap analysis. The total annual cost for SAQ D compliance ranges from $5,000-$20,000+ including the assessment itself, quarterly ASV scanning, annual penetration testing, security tools, and remediation of any gaps identified.

Before resigning yourself to SAQ D, explore whether architectural changes could qualify you for a simpler SAQ. Tokenizing stored card data, switching to hosted payment pages, and implementing P2PE terminals can all reduce your SAQ scope. A PCI consultant's scoping assessment ($500-$2,000) can identify the fastest path to a simpler SAQ. See QSA assessment costs for when it makes sense to skip SAQ D entirely and go straight to a formal QSA audit.

SAQ A-EP: The E-commerce Grey Area

SAQ A-EP sits between SAQ A and SAQ D in complexity, with 191 questions. It is specifically designed for e-commerce merchants whose website affects the security of the payment transaction, even though they do not directly handle card data. The most common scenario is merchants using embedded payment forms (iframes or JavaScript-rendered payment fields) where card data goes directly from the customer's browser to the payment provider, but the merchant's website controls the surrounding page.

Under PCI DSS 4.0, SAQ A-EP has become more demanding due to Requirement 6.4.3 (payment page script management). Merchants on SAQ A-EP must now inventory all JavaScript running on their payment pages, ensure each script is authorised, and implement integrity monitoring. This typically requires new tooling costing $1,000-$5,000/year. Common integrations requiring SAQ A-EP include Stripe Elements, Braintree Drop-in UI, Adyen Web Components, and any integration using iframes for payment collection on the merchant's domain.

If you are currently on SAQ A-EP and want to simplify, consider switching to a full redirect payment flow (Stripe Checkout, PayPal hosted pages) to qualify for SAQ A. This eliminates the need for payment page script monitoring and reduces your questionnaire from 191 to 22 questions. The trade-off is slightly less control over the checkout UX, as customers leave your site to complete payment.

“My Processor Says I Need SAQ X, But I Disagree”

Disputes over SAQ type assignment are common. Some processors default merchants to SAQ D when a simpler SAQ would apply, often because they lack detailed knowledge of the merchant's payment integration. Other times, a processor correctly identifies that a merchant needs a more complex SAQ than the merchant expected. Here is how to resolve these situations:

Document your payment flow

Create a clear diagram showing how card data flows from the customer to the payment provider. Include every system, application, and network segment involved. If card data never touches your environment, this documentation supports your case for SAQ A. Share this with your processor's compliance team, not just their customer service department.

Reference your payment provider's documentation

Major payment providers (Stripe, PayPal, Braintree, Adyen) publish documentation specifying which SAQ applies to each of their integration methods. This documentation carries significant weight in discussions with your acquiring bank. If Stripe's documentation says their Checkout product qualifies for SAQ A, your processor should accept this unless they have specific evidence to the contrary.

Engage a PCI consultant

If the dispute persists, a short engagement with a PCI QSA or consultant ($500-$2,000) for a formal scoping assessment can provide an independent, authoritative determination of your correct SAQ type. Your acquiring bank will typically accept a QSA's scoping determination. This investment often pays for itself many times over if it results in a simpler SAQ assignment.

Next Steps

Know your SAQ type? Return to the cost calculator to estimate your total compliance cost. Check the requirements page to understand what your SAQ covers. If you are on SAQ D, explore cost reduction strategies to potentially qualify for a simpler SAQ.

Frequently Asked Questions

What is the difference between SAQ A and SAQ D?

SAQ A is the simplest PCI self-assessment questionnaire with just 22 questions, designed for merchants who fully outsource all payment processing to a PCI-compliant third party (like Stripe Checkout or PayPal hosted pages). Card data never touches the merchant's systems. SAQ D is the most comprehensive questionnaire with 329 questions (merchant version) or 347 questions (service provider version), covering all 12 PCI DSS requirements. SAQ D is required for any merchant that stores, processes, or transmits cardholder data and doesn't qualify for a simpler SAQ. The cost difference is significant: SAQ A typically costs $300-$1,000 to complete vs $5,000-$20,000+ for SAQ D.

Which SAQ is easiest?

SAQ A is the easiest PCI self-assessment questionnaire to complete, with only 22 questions and no requirement for vulnerability scanning or penetration testing. It's available to merchants who fully outsource their payment processing to a PCI-compliant provider using redirect or hosted payment pages. SAQ P2PE is the second easiest with 33 questions, available to merchants using validated Point-to-Point Encryption terminals for in-person payments. Most small businesses can qualify for SAQ A by using hosted payment solutions like Stripe Checkout, PayPal, or Shopify Payments. The key requirement is that card data must never touch your own systems or servers.

How many questions are on SAQ D?

SAQ D for merchants contains 329 questions covering all 12 PCI DSS requirements. SAQ D for service providers contains 347 questions with additional service-provider-specific requirements. SAQ D is essentially the full PCI DSS standard in self-assessment format. Completing SAQ D typically requires involvement from IT, security, compliance, HR (for training requirements), facilities (for physical security), and management. Most organisations need 2-4 months to complete SAQ D for the first time, and many engage a PCI consultant to assist. The comprehensive nature of SAQ D is why cost reduction strategies that help merchants qualify for a simpler SAQ can save thousands of dollars annually.

Can I do SAQ A if I use Stripe?

It depends on which Stripe integration you use. If you use Stripe Checkout (full redirect to Stripe-hosted payment page), you qualify for SAQ A. If you use Stripe Elements (embedded payment fields using JavaScript on your page), you likely need SAQ A-EP because your website's JavaScript environment can affect the security of the payment form. If you use the Stripe API to directly handle raw card numbers on your server, you need SAQ D. The critical distinction is whether card data passes through your systems or only through Stripe's systems. Stripe's documentation includes a helpful guide on which SAQ applies to each integration method.

Do I need SAQ A-EP for iframe payments?

Generally yes. If you embed a payment form in an iframe on your website, you typically need SAQ A-EP rather than SAQ A. This is because your website's code controls the parent page surrounding the iframe, and malicious JavaScript on your page could potentially overlay or redirect the iframe. Under PCI DSS 4.0, Requirement 6.4.3 specifically addresses the security of scripts on payment pages, making SAQ A-EP requirements more demanding. The exception is if you use a full-page redirect to the payment provider's domain (not an iframe on your page), in which case SAQ A applies. The distinction between redirect and iframe is one of the most commonly misunderstood aspects of PCI compliance for e-commerce merchants.

PCI Compliance Cost Calculator

Estimate your total PCI compliance cost

Cost by Merchant Level

Level 1 to Level 4 cost breakdown

Non-Compliance Penalties

Fine schedules and breach liability

PCI DSS 4.0 Requirements

All 12 requirements with costs