Open-source PCI compliance

PCI DSS SAQ Checklists
in plain English

Free, open-source checklists for PCI DSS Self-Assessment Questionnaires. SAQ A, A-EP, B, and D — translated out of QSA jargon into language a busy ops manager can actually use.

Which SAQ do I need? →Download free PDFView on GitHub

Pick your SAQ

Not sure which one applies? Take the 8-step decision guide.

SAQ A

E-commerce with redirect/iframe, mail-order with outsourced call centre

Card-not-present, fully outsourced. Your processor handles everything. ~16 controls.

Open checklist →

SAQ A-EP

Online merchants with their own checkout page that embeds the processor

E-commerce with iframe or redirect, but your server controls the page that loads them. ~70 controls.

Open checklist →

SAQ B

Small retail, market traders, anyone still using carbon-copy or PSTN

Imprint machines or standalone dial-out terminals. No internet-connected payment systems. ~40 controls.

Open checklist →

SAQ D

Service providers, complex environments, or anyone storing/processing card data directly

The catch-all. Used when nothing simpler fits — including most phone payment setups without a descope solution. 330+ controls.

Open checklist →

Why this exists

The official PCI DSS SAQ documents are written for QSAs and security professionals. If you're a finance director or ops manager who's suddenly responsible for PCI, they're hard going.

We're Paytia. We build PCI-compliant phone payment systems for merchants and call centres. We see businesses get the SAQ wrong all the time — usually because the official guidance doesn't make it clear which one fits their setup, or what each control actually means in practice.

These checklists are our attempt at a shortcut: the controls that matter, in plain English, with the evidence you'll need. They're a starting point for your own assessment, not a substitute for one — your QSA still has the final word.

Phone payments are the one area we know best. If your business takes card payments over the phone, the agent typing the card number into a CRM brings the whole call into PCI scope. There's a way to remove that risk entirely — see how Paytia descopes phone payments.