9 Types of Payment Card Industry Self Assessment Questionnaires

In our previous blogs, we have talked about what is PCI DSS, the major benefits, and the consequences of non-compliance. We also looked at the PCI DSS requirements and merchant levels. 

This blog dives deeper into the topic and focuses on the different types of questionnaires involved in the compliance process.

The Payment Card Industry Security Standards Council have designed nine Self Assessment Questionnaires that are self-validation tools to assess the security of your cardholder data. The Self-Assessment Questionnaire or SAQ includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.

There are different questionnaires available to meet different merchant and/or service provider environments, below is a list of the nine different self-assessment questionnaires:


This self-assessment questionnaire is not applicable for face-to-face channels and is to be completed by merchants who deal with ‘card not present’ transactions i.e. e-Commerce, mail or telephone order. If your organization has outsourced all cardholder functions to PCI DSS compliant third-party service providers and does not electronically store, process or transmit cardholder data on your systems or premises, this SAQ is the right one for you.  (Not applicable for Face to Face channels) 


The ‘A-EP’ selfassessment questionnaire is similar to SAQ A but refers to merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. (Applicable to only e-Commerce channels) 


This self-assessment questionnaire is applicable to merchants who use only; imprint machines and/or standalone, dial-out terminals and have no electronic cardholder data transmission, processing and storage. (Not applicable to e-Commerce channels) 


The B-IP self-assessment questionnaire is applicable to all merchants who only utilise standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. This questionnaire covers terminals that are network-based whereas SAQ B is for terminals that transmit data through dial-up. (Not applicable to e-Commerce channels) 


This self-assessment questionnaire is designed for merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. These merchants also do not store any cardholder data. (Not applicable to e-Commerce channels) 


For merchants with payment application systems connected to the Internet, and who don’t store any cardholder data electronically. (Not applicable to e-Commerce channels)


This self-assessment questionnaire is dedicated for merchants who use approved point-to-point encryption (P2PE) devices, with no electronic card data storage. P2PE stands for point-to-point encryption, which uses specially-approved devices to capture and encrypt cardholder data before that data ever enters a merchant's computer network. (Not applicable to e-Commerce channels)

SAQ D (For Merchants)

This is a self-assessment questionnaire for merchants who are not described in the above types of SAQs.

SAQ D (All service providers defined by a payment brand as eligible to complete a SAQ) 

This is a self-assessment questionnaire for service providers who are not described in the above types of SAQs.


Is your business looking to get PCI DSS compliant? StickmanCyber's PCI DSS compliance service deploys a 5-step methodology to help you build trust with your customers and guarantee secure transactions with PCI DSS Compliance.

Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.