Which SAQ is easiest?

SAQ P2PE (33 controls) for in-person merchants using a PCI-validated point-to-point encryption terminal. SAQ A (22 controls) for online merchants who fully redirect to a hosted payment page. Both can typically be completed in a single afternoon.

How many questions are on SAQ D?

SAQ D-Merchant has 329 questions and SAQ D-Service Provider has 347. They cover all 12 PCI DSS requirements in full. Most merchants who land on SAQ D could move to a simpler SAQ via tokenization or a hosted payment page.

Can I do SAQ A if I use Stripe?

Yes if you redirect to Stripe Checkout or use Stripe's hosted invoice payments. No if you use Stripe Elements, Stripe.js, or any embedded form, in which case SAQ A-EP applies. Requirement 6.4.3 (payment page script management) makes A-EP materially more expensive than A.

Do I need SAQ A-EP for iframe payments?

Yes. SAQ A-EP applies to e-commerce merchants whose website can affect the security of the payment page, including iframe and Stripe Elements integrations. The PCI SSC explicitly clarified this in 4.0. SAQ A is reserved for full redirect or P2PE flows where your domain has zero ability to influence card capture.

SAQ guide

Which PCI SAQ do you need?

Nine SAQ types exist. Most merchants land on the wrong one and pay for hundreds of controls they should never have been in scope for. Use the wizard to narrow it down, then confirm with the comparison table below.

Updated April 2026

Step 1 of 3

How do you primarily accept card payments?

All nine SAQ types compared

SAQ	Who it is for	Questions	Cost	Effort
SAQ A	Card-not-present merchants using fully hosted payment pages (redirect)	22	$300 - $1,000	1-3 days
SAQ A-EP	E-commerce merchants with website that affects payment page security (iframe/JS)	191	$2,000 - $8,000	2-6 weeks
SAQ B	Merchants using imprint machines or standalone dial-out terminals only	41	$500 - $2,000	1-2 weeks
SAQ B-IP	Merchants using standalone IP-connected POS terminals (no electronic card data storage)	82	$800 - $3,000	2-4 weeks
SAQ C	Merchants with payment application systems connected to the internet	160	$1,500 - $6,000	3-6 weeks
SAQ C-VT	Merchants manually entering single transactions via virtual terminal on isolated computer	79	$800 - $2,500	1-3 weeks
SAQ D (Merchant)	All merchants not qualifying for any other SAQ type	329	$5,000 - $20,000	2-4 months
SAQ D (Service Provider)	Service providers eligible to self-assess	347	$8,000 - $25,000	3-6 months
SAQ P2PE	Merchants using validated P2PE hardware terminals only	33	$400 - $1,500	1-2 weeks

Easiest path

SAQ A: fully outsourced

22 controls. For merchants who use a hosted payment page (Stripe Checkout, PayPal, Shopify Payments) where customers are redirected entirely off your domain. Card data never enters your servers. Annual cost: $300 to $1,000.

Common mistake: assuming you qualify when JavaScript on your payment page can intercept card data before it reaches the provider. If your site loads scripts on the payment page, you almost certainly need SAQ A-EP instead.

Hardest path

SAQ D: the catch-all

329 controls. The default for any merchant who stores card data, processes payments through their own server-side code, or fits no other SAQ. Annual cost: $5,000 to $20,000+. Many SAQ D merchants could move to SAQ A or SAQ A-EP through tokenization or a hosted payment page.

When to skip the SAQ entirely: if you are heading toward Level 1 or your acquirer is asking for evidence beyond an SAQ, a QSA-led ROC may be a more efficient route than a 329-question self-attestation.

SAQ A-EP: the e-commerce grey area

SAQ A-EP is where most online merchants get caught out. It applies whenever your website can influence the security of the payment page, even if card data is submitted directly to the processor.

SAQ A applies

Customer redirected to processor-hosted page
Full-page redirect to Stripe Checkout, PayPal, Adyen Drop-in
iframe served entirely from the processor domain with no parent-page interaction

SAQ A-EP applies

Stripe Elements, Stripe.js, embedded payment fields
Custom iframe where your page provides scripts or styling
Direct-post integrations with client-side JavaScript
Any page that loads third-party tags before the payment field

Need an independent assessment?

Our partner network includes QSAs and ISAs across all merchant levels. Costs vary by scope and QSA fees are quoted independently. We do not endorse a specific firm.

Find a QSA in the PCI SSC directory →

Frequently asked

SAQ A has 22 controls and is for merchants who fully outsource payment processing to a hosted payment page (like Stripe Checkout or PayPal). SAQ D has 329 controls and is the comprehensive default for any merchant whose environment touches card data directly. The cost gap is roughly $300 to $1,000 for SAQ A vs $5,000 to $20,000 for SAQ D.

Stop the processor fee

Complete the right SAQ to remove it.

Move down the SAQ ladder

Tokenization, hosted pages, P2PE.

Cost by merchant level

How SAQ choice changes by level.