Decision guide
Which SAQ do I need?
The PCI Council publishes nine different SAQs. Most merchants only need to consider five of them. Work through the questions below in order — the first "yes" that matches is your starting point.
- Step 1
Do you take any card payments at all?
- Yes
- Continue
- No
- PCI doesn't apply. You can stop here.
- Step 2
Are all your card payments handled by a third party that you redirect customers to?
- Yes
- If your e-commerce flow is a redirect or processor-served iframe and you never touch card data, you're a candidate for SAQ A.
- No
- Continue — you'll need a more comprehensive SAQ.
- Step 3
Do you have your own e-commerce checkout page that loads a third-party payment iframe?
- Yes
- SAQ A-EP. Your server controls the page, so it's in scope even though card data goes straight to the processor.
- No
- Continue.
- Step 4
Do you take payments only through standalone, dial-out (PSTN) terminals or imprint machines?
- Yes
- SAQ B. No internet, no e-commerce.
- No
- Continue.
- Step 5
Do you take payments only through standalone IP-connected payment terminals?
- Yes
- SAQ B-IP. Same as B but the terminal is on your IP network.
- No
- Continue.
- Step 6
Do you take payments through a virtual terminal accessed only via a single, dedicated, isolated computer?
- Yes
- SAQ C-VT.
- No
- Continue.
- Step 7
Do you have a payment application that's connected to the internet but stored data is segmented out?
- Yes
- SAQ C.
- No
- Continue.
- Step 8
Do you use a PCI-listed P2PE (point-to-point encryption) solution?
- Yes
- SAQ P2PE — covers merchants using only validated P2PE solutions.
- No
- You're on SAQ D — the catch-all. This includes most phone-payment merchants without a descope solution.
Reminder: this is a starting point, not a substitute for a Qualified Security Assessor. Your acquirer or QSA has the final say on which SAQ applies.