You are here:

PCI SAQ support

Self-Assessment Questionnaires (SAQs) are verification tools provided by the PCI SSC that help Merchants and Service Providers report their compliance results with PCI DSS standards.  There are a variety of SAQs that can be applied to an organization depending on its payment processing methods.

The PCI SAQ applies to small merchants and service providers who must comply with all applicable PCI DSS standards, and who do not have to undergo an on-site data security assessment or submit a compliance report (ROC) :

  • Level 2 Service Providers that store, transmit, or process less than 300,000 credit card transactions annually
  • Level 2, 3 and 4 Merchants that store, transmit, or process less than 6 000 000 credit card transactions annually

SC2labs provides assistance in completing SAQs.

SAQ A is for merchants with account data functions completely outsourced, e-commerce or mail/telephone-order merchants (card-not-present) and do not store, process, or transmit any account data in electronic format on their systems or premises. This SAQ is not applicable to face-to-face channels. 

SAQ A-EP is applicable only to e-commerce merchants with a website(s) that does not itself receive account data but does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data.

SAQ B is for merchants that process account data only via imprint machines or standalone, dial-out terminals.

SAQ B-IP is  for merchants that process account data only via standalone, PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor.

SAQ C-VT is applicable to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet.

SAQ C is  for merchants with payment application systems (for example, point-of-sale systems) connected to the Internet, and that do not store electronic account data.

SAQ P2PE is for merchants that process account data only via a validated PCI-listed P2PE solution.

SAQ D for Merchants applies to merchants that are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type. Not applicable to service providers.


SAQ D for Service Providers applies to all service providers defined by a payment brand as being eligible to complete a self-assessment questionnaire. This SAQ is the only SAQ option for service providers.

We can assist you at every stage and level of SAQ :

  • when the type of SAQ questionnaire to be completed is not known or to verify the appropriate questionnaire selection.

  • when you don't know how to approach a document, we can arrange an SAQ consultation or a comprehensive service with ​workshops.

  • to ensure that organizations are completing the SAQ correctly, we offer a review service to assess whether the SAQ has been completed correctly.

  • if any organization requires the QSA auditor’s signature on SAQ documentation we can provide special dedicated SAQ assessment.

You may also be interested in: