← Glossary·Audit

PCI SAQ (Self-Assessment Questionnaire)

PCI DSS

PCI DSS self-assessment for merchants meeting eligibility criteria; nine SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE).

The PCI Self-Assessment Questionnaire is a merchant compliance validation path used in lieu of a Report on Compliance (RoC). The applicable SAQ depends on payment-channel architecture (e.g. SAQ A for fully-outsourced e-commerce, SAQ D for storing PAN).

Why it matters
Choosing the wrong SAQ understates scope and creates breach-time liability. SAQ A vs A-EP is the most common misclassification (iframe vs JS redirect).

Related terms

PCI DSS
Card-brand mandated standard for any entity that stores, processes, or transmits cardholder data.
Cardholder Data (CHD)
PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.
CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.

Does your program actually cover PCI SAQ (Self-Assessment Questionnaire)?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary