The Ultimate Guide To PCI-SAQs For Finance Startups

PCI-SAQs For Finance Startups

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is essential and frequently required for companies that process credit and debit card payments. Based on an organization’s particular circumstances and transaction volume, PCI-SAQs play a crucial role in this process by identifying the necessary level of self-assessment needed to achieve PCI DSS compliance standards. 

Understanding and navigating PCI-SAQs will enable your firm to safeguard sensitive cardholder data, foster customer loyalty, and maintain a secure payment environment, whether you’re a small e-commerce startup or an established merchant. But what are PCI-SAQs? 

In short, the PCI DSS self-assessment questionnaires (SAQs) are verification and analysis tools for merchants and service providers designed to help them report the findings of their PCI DSS self-assessment. These are more helpful for smaller businesses, i.e., level two, three, or four merchants, with annual transactions lower than 6 million. A PCI-SAQ is an aggregation of basic Yes and No questions that are the best way for small businesses to identify whether they are missing important compliance requirements. 

However, based on the unique requirements of your business, you have to choose one SAQ out of the eight currently available under the PCI DSS compliance framework. Selecting accurately here might seem overwhelming, so you need an overview of each type of PCI-SAQ. In this blog, we will discuss all eight of them and show you how you can fill your PCI-SAQ error-free!

What are the Eight Different Types of PCI-SAQs?

The eight different types of PCI-SAQs are based on how you, as a merchant, process and handle payments and card transactions. Let’s check out what these are.

  1. PCI SAQ A

This applies to businesses that have delegated all cardholder data processing to outside service providers and need the infrastructure to store, process, or transfer cardholder data electronically on-site. It is not relevant for face-to-face channels.

  1.  PCI-SAQ A-EP

SAQ A-EP is for online retailers and e-Commerce merchants who:

  • use external payment processing functions to verify information from third parties
  • have a website that does not accept cardholder data but may impact security
  • cannot transmit, process, or store cardholder data on internal merchant systems

It solely applies to online shopping channels.

  1.  PCI-SAQ B

This is only applicable to business merchants who: 

  • cannot support the storage of cardholder data without imprint machines
  • use individual dial-out terminals that don’t allow for the storage of e-cardholder data

It does not apply to online shopping channels.

  1.  PCI-SAQ B-IP

This only applies to businesses that use standalone PTS-approved payment terminals and IP connections to payment processors and do not store electronic cardholder data. 

SAQ B-IP also does not apply to channels for online shopping..

  1.  PCI SAQ C-VT

Merchants who manually process one transaction at a time using a keyboard to a web-based virtual terminal hosted by a third-party service provider that has undergone PCI DSS validation are subject to SAQ C-VT. These merchants also should not be storing electronic cardholder information. 

It also does not apply to online shopping channels.

  1.  PCI-SAQ C

It is for retailers who use an online payment application system and do not keep electronic cardholder information.

This also does not apply to online shopping channels.


This is for retailers who exclusively accept payments through hardware terminals. These terminals are integrated with and managed by a PCI SSC-listed, certified P2PE solution that does not keep electronic cardholder data on file. 

It also does not apply to online shopping channels.

  1. PCI-SAQ D

This applies to retailers whose transactions don’t fall under any of the above-mentioned criteria. It also applies to service providers if the payment brand stipulates that they are eligible to execute an SAQ.

In the next section, we will dive into how you can fill out your PCI-SAQ error-free.

How to Fill Out Your PCI-SAQ Without Any Mistakes?  

You need to follow these six steps outlined below:

  1. Evaluate Your Merchant or Service Provider Levels

Your organization will be classified as Level 1, 2, 3, or 4 depending on the volume of transactions you process annually. Level One organizations have the biggest volume of transactions and, consequently, the highest compliance requirements. You may determine the level your organization falls on by studying tables 1 and 2 given below.

  1. Asses the Compliance Requirements at Your Level

The requirements decrease as you execute fewer transactions yearly, and vice versa. You can see Tables 3 and 4 below for the regulations for service providers and retailers about validation. For businesses that do less than 6 million transactions annually, they must:

  • conduct quarterly network security assessments on every external network
  • complete the SAQ
  • complete an Attestation of Compliance (AoC – to be explained later)

For a PCI DSS audit to determine whether the company has more than 400 security controls required by the PCI Data Security Standard, high-volume merchants (Level 1) and some service providers must hire a Qualified Security Assessor.

  1. Determine Which SAQ to Use For Your Organization

The method you employ for transactions, whether you save cardholder data or not and the kind of business you run will determine which SAQ is right for your organization.

For instance, you would come under SAQ B if you only employ imprint devices to process card transactions. Whereas, you would come under SAQ A-EP if you handle card-not-present transactions (remote orders) and direct customers to a third-party platform for payment processing. 

You can start completing the SAQ after determining which one pertains to your company. 

An SAQ consists of several Yes and No questions that involve basic research into the business, and questions about each PCI requirement and sub-requirement are included in a second section.

You can read about the different types of PCI-SAQs in the aforementioned section.

  1. Download the Right SAQ and the Attestation of Compliance (AoC)

Merchants and service providers utilize the AOC to certify the findings of a PCI DSS self-assessment. It is delivered to an acquirer or payment brand with the relevant SAQ and any further paperwork that may be required. 

Members of the it or information security team typically complete the SAQ. A completed SAQ and an Attestation of Compliance (AoC) from a company officer in charge of compliance (often the Chief Financial Officer or an equivalent) are delivered together.

Working with a licensed PCI QSA company that can streamline the self-assessment process frequently makes sense, given the significance of selecting the appropriate questionnaire and ensuring it is completed appropriately.

  1. Conduct PCI Vulnerability Scans and Penetration Testing, if Needed

Vulnerability scans check your systems for recognized vulnerabilities and notify you of potential exposures. Penetration tests are designed to find vulnerabilities in the design of your IT network and gauge the ease with which a malicious attacker could access your assets without authorization. Depending on the type of SAQ, the organization could submit quarterly vulnerability scans and annual penetration testing to ensure compliance.

For instance, SAQs A. B, C-VT, and P2PE SW do not require either. However, SAQ C requires vulnerability testing, while SAQ D requires both Vulnerability and pen testing.

  1. Complete the Attestation of Compliance (AoC)

This document, more often referred to as the Attestation of Compliance (AoC), is a portion of the Self-Assessment Questionnaire (SAQ) you obtained. It should be completed once the conditions for your relevant SAQ have been satisfied. Payment processors, gateways, acquiring banks, clients, potential clients, and other interested parties frequently ask for this document to show proof of genuine PCI DSS compliance and certification.

PCI DSS Compliance Readiness with Akitra!

Establishing trust is a crucial competitive differentiator when courting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.

Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our compliance automation platform and service help our customers prepare readiness for the PCI DSS compliance standard, along with other security frameworks like SOC 1, SOC 2, HIPAA, GDPR, ISO 27001, ISO 27701, ISO 27017, ISO 27018, NIST CSF, NIST 800-53, NIST 800-171, FedRAMP, CCPA, CMMC, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s Risk Management product for overall risk management for your company, Trust Center, and AI-based Automated Questionnaire Response product to streamline and expedite security questionnaire response processes delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently. 

The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.

Build customer trust. Choose Akitra TODAY!‍

To book your FREE DEMO, contact us right here.

Request a Demo & See if We’re the Right Fit for Each Other

cta 2

Request a Demo & See if We’re the Right Fit for Each Other

cta 2

Request a Demo & See if We’re the Right Fit for Each Other

cta 2

We care about your privacy​
We use cookies to operate this website, improve usability, personalize your experience, and improve our marketing. Your privacy is important to us and we will never sell your data. Privacy Policy.

%d bloggers like this: