SAQ guide

Which PCI SAQ do you need?

Nine SAQ types exist. Most merchants land on the wrong one and pay for hundreds of controls they should never have been in scope for. Use the wizard to narrow it down, then confirm with the comparison table below.

Updated April 2026

Step 1 of 3

How do you primarily accept card payments?

All nine SAQ types compared

SAQWho it is forQuestionsCostEffort
SAQ ACard-not-present merchants using fully hosted payment pages (redirect)~24$300 - $1,0001-3 days
SAQ A-EPE-commerce merchants with website that affects payment page security (iframe/JS)~139$2,000 - $8,0002-6 weeks
SAQ BMerchants using imprint machines or standalone dial-out terminals only41$500 - $2,0001-2 weeks
SAQ B-IPMerchants using standalone IP-connected POS terminals (no electronic card data storage)82$800 - $3,0002-4 weeks
SAQ CMerchants with payment application systems connected to the internet160$1,500 - $6,0003-6 weeks
SAQ C-VTMerchants manually entering single transactions via virtual terminal on isolated computer79$800 - $2,5001-3 weeks
SAQ D (Merchant)All merchants not qualifying for any other SAQ type~251$5,000 - $20,0002-4 months
SAQ D (Service Provider)Service providers eligible to self-assess~269$8,000 - $25,0003-6 months
SAQ P2PEMerchants using validated P2PE hardware terminals only33$400 - $1,5001-2 weeks

Question counts are approximate. PCI DSS v4.0.x consolidated many of the separate sub-requirements counted under the retired v3.2.1 into single controls, so exact totals vary by counting method and are lower than the older v3.2.1 figures. Confirm the current count in the relevant SAQ document in the PCI SSC document library.

Easiest path

SAQ A: fully outsourced

Around 24 requirements under v4.0.1. For merchants who use a hosted payment page (Stripe Checkout, PayPal, Shopify Payments) where customers are redirected entirely off your domain. Card data never enters your servers. Annual cost: $300 to $1,000.

Common mistake: assuming you qualify when JavaScript on your payment page can intercept card data before it reaches the provider. Since v4.0.1 (effective 31 March 2025), SAQ A eligibility requires confirming your entire site is not susceptible to script attacks, so if your site loads scripts on the payment page you almost certainly need SAQ A-EP instead.

Hardest path

SAQ D: the catch-all

Roughly 251 requirements under PCI DSS v4.0.1. The default for any merchant who stores card data, processes payments through their own server-side code, or fits no other SAQ. Annual cost: $5,000 to $20,000+. Many SAQ D merchants could move to SAQ A or SAQ A-EP through tokenization or a hosted payment page.

When to skip the SAQ entirely: if you are heading toward Level 1 or your acquirer is asking for evidence beyond an SAQ, a QSA-led ROC may be a more efficient route than a 250-plus-requirement self-attestation.

SAQ A-EP: the e-commerce grey area

SAQ A-EP is where most online merchants get caught out. It applies whenever your website can influence the security of the payment page, even if card data is submitted directly to the processor.

SAQ A applies

  • Customer redirected to processor-hosted page
  • Full-page redirect to Stripe Checkout, PayPal, Adyen Drop-in
  • iframe served entirely from the processor domain with no parent-page interaction

SAQ A-EP applies

  • Stripe Elements, Stripe.js, embedded payment fields
  • Custom iframe where your page provides scripts or styling
  • Direct-post integrations with client-side JavaScript
  • Any page that loads third-party tags before the payment field

Need an independent assessment?

Our partner network includes QSAs and ISAs across all merchant levels. Costs vary by scope and QSA fees are quoted independently. We do not endorse a specific firm.

Find a QSA in the PCI SSC directory

Frequently asked

SAQ A has around 24 requirements under PCI DSS v4.0.1 (up from 22 in the retired v3.2.1) and is for merchants who fully outsource payment processing to a hosted payment page (like Stripe Checkout or PayPal). SAQ D is the comprehensive default for any merchant whose environment touches card data directly, with roughly 251 requirements for merchants (down from 329 in the retired v3.2.1, which consolidated many sub-requirements in v4.0). The cost gap is roughly $300 to $1,000 for SAQ A vs $5,000 to $20,000 for SAQ D.

Continue reading