What is the difference between SAQ A and SAQ A-EP?

SAQ A applies to card-not-present merchants where all cardholder data functions are fully outsourced and the merchant's website has no effect on the security of the payment transaction. SAQ A-EP applies when the merchant's e-commerce website or application affects the security of the payment flow — for example, if the site loads scripts, redirects, or iframes involved in the payment process. Merchants that implement payment page security controls may find that SAQ A-EP applies rather than SAQ A.

How many questions are in each PCI-DSS SAQ type?

Approximate question counts by SAQ type under PCI-DSS 4.0: SAQ A — 22 questions; SAQ A-EP — 191 questions; SAQ B — 41 questions; SAQ B-IP — 83 questions; SAQ C — 161 questions; SAQ C-VT — 65 questions; SAQ D (Merchant) — 329 questions; SAQ D (Service Provider) — 331 questions. The counts reflect the standard SAQ form and may vary slightly with form updates.

What happens if I complete the wrong SAQ type?

Filing a simpler SAQ than your payment environment requires does not achieve compliance — it creates liability exposure. In the event of a breach, card brands and acquirers review the SAQ filed at the time of the incident. A mismatch between the SAQ completed and the actual environment is treated as evidence of inadequate compliance management and may result in fines, increased transaction fees, or loss of card acceptance privileges.

Can a P2PE solution reduce my PCI-DSS SAQ scope?

Yes. Merchants using a PCI SSC-validated Point-to-Point Encryption solution may qualify for SAQ P2PE, which is significantly shorter than SAQ D and focuses on physical security of the P2PE hardware and adherence to the solution provider's implementation guide. Scope reduction is legitimate only when using a solution listed on the PCI SSC's List of Validated P2PE Solutions — not all encryption implementations qualify.

PCI-DSS Compliance

PCI-DSS SAQ Types: Choosing the Right Self-Assessment Questionnaire

PCI-DSS provides eight Self-Assessment Questionnaire types under version 4.0, each applicable to a specific payment acceptance model. Selecting the wrong SAQ — or qualifying for a simpler one when a more comprehensive type applies — is one of the most consequential compliance errors a payment-handling organization can make. The right SAQ depends on how your organization accepts cards, whether you store cardholder data, and how your payment page or terminal connects to other systems.

Start the 90-Day Proof
Talk to an Expert

What an SAQ Is and When It Applies

The Self-Assessment Questionnaire is a validation tool that merchants use to confirm their compliance with PCI-DSS requirements applicable to their payment environment. It is the primary compliance validation mechanism for merchant levels 2 through 4 — organizations processing below the volume threshold that requires a full Qualified Security Assessor (QSA) on-site assessment. SAQ completion results in an Attestation of Compliance (AOC) submitted to the merchant’s acquirer.
The SAQ process requires honest self-evaluation — not just checking boxes. An organization that completes SAQ A when its actual payment environment qualifies for SAQ A-EP or SAQ D does not achieve compliance by filing the simpler form; it creates liability exposure. Card brands and acquirers investigate the SAQ completed at the time of a breach, and a mismatch between the SAQ filed and the actual environment is treated as evidence of inadequate compliance management. SAQ eligibility is determined by the payment channel and technical architecture, not by preference. For merchant-level context that determines whether an SAQ or a QSA assessment applies, see PCI-DSS merchant levels.

The Eight SAQ Types Under PCI-DSS 4.0

SAQ Type	Eligible Merchant Profile	Approximate Question Count	CDE Storage
SAQ A	Card-not-present merchants only; all cardholder data functions (processing, storage, transmission) fully outsourced to PCI-DSS-validated third parties; no electronic cardholder data on merchant systems or premises	~22 questions	None
SAQ A-EP	E-commerce merchants with a payment page partially hosted by a PCI-DSS-validated third party, but where the merchant’s website or application affects the security of the payment transaction (e.g., the site loads scripts, redirects, or iframes used in the payment flow)	~191 questions	None
SAQ B	Merchants using only imprint machines with no electronic cardholder data storage, or standalone dial-out terminals (not IP-connected) with no electronic storage	~41 questions	None
SAQ B-IP	Merchants using standalone, IP-connected payment terminals that do not store cardholder data electronically; terminals are isolated from other network systems	~83 questions	None
SAQ C	Merchants with payment application systems connected to the internet but not storing cardholder data electronically beyond what is required for transaction authorization; no connection between the internet-facing system and other systems within the merchant environment	~161 questions	None beyond authorization
SAQ C-VT	Merchants that process cardholder data exclusively via web-based virtual terminals accessed through an internet browser; transactions are single entries, manually keyed; no electronic cardholder data storage	~65 questions	None
SAQ D (Merchant)	Merchants that do not qualify for any other SAQ type — including merchants that store cardholder data electronically, use multiple payment channels, or have a complex cardholder data environment	~329 questions	May be present
SAQ D (Service Provider)	Service providers that store, process, or transmit cardholder data on behalf of merchants and are not eligible for another SAQ type; includes cloud providers, managed service providers, and payment facilitators not validated via P2PE	~331 questions	May be present

The SAQ A vs. SAQ A-EP Distinction: The Most Common Error

The most consequential SAQ selection error in e-commerce environments is filing SAQ A when SAQ A-EP applies. The distinction turns on one question: does the merchant’s website or application affect the security of the payment transaction?
SAQ A eligibility requires that all cardholder data functions — processing, storage, and transmission — are fully outsourced to a PCI-DSS-validated third party, and that the merchant’s systems have no electronic storage of cardholder data and no impact on the security of the payment page. If the merchant’s website loads any script, redirect, iframe, or element that is used in the payment flow — even if the payment processor hosts the underlying transaction — the merchant’s website affects the security of that transaction, and SAQ A-EP applies rather than SAQ A.
PCI-DSS 4.0’s new Requirement 6.4 for payment page script management is directly relevant to this distinction. A merchant’s implementation of content security policy or script inventory to comply with Requirement 6.4 is, itself, evidence that the merchant’s systems affect the payment security flow — which supports SAQ A-EP eligibility rather than SAQ A. Merchants that have implemented any payment page security controls should re-evaluate their SAQ eligibility. See PCI-DSS 4.0 changes for detail on the script management requirement.

SAQ D for Service Providers: An Assessment-Level Commitment

SAQ D for service providers covers the full scope of PCI-DSS requirements and requires responses to approximately 331 questions. For most service provider organizations, completing SAQ D honestly requires the same operational infrastructure as a QSA-assisted assessment: formal policy framework, documented risk assessment, evidence of continuous monitoring, access control lifecycle documentation, and penetration testing. Organizations that attempt SAQ D as a paper exercise without the underlying operational controls create the highest-risk compliance posture — the controls are neither present nor independently validated.
Service providers that store, process, or transmit cardholder data for more than 300,000 American Express transactions annually, or that have been identified by a card brand or acquirer as requiring a Report on Compliance (ROC) rather than an SAQ, must undergo a full QSA assessment regardless of their preference for SAQ D self-assessment. See PCI-DSS merchant levels for the transaction volume thresholds that trigger mandatory QSA involvement.

P2PE-Validated Solutions and SAQ Reduction

Merchants that deploy a PCI SSC-validated Point-to-Point Encryption (P2PE) solution may qualify for SAQ P2PE, a significantly shorter questionnaire that focuses on the physical security of the P2PE hardware and the merchant’s adherence to the solution provider’s implementation guide. P2PE validation reduces scope because cardholder data is encrypted at the point of interaction before it touches any merchant system. Scope reduction through P2PE is legitimate only when using a solution on the PCI SSC’s List of Validated P2PE Solutions — not all encryption solutions qualify.

Armorstack’s Role in SAQ Selection and Completion

Armorstack’s VERITY advisory team conducts payment environment scoping reviews that determine the correct SAQ type before an organization begins self-assessment. The scoping review maps the complete payment acceptance architecture — channels, systems, third-party integrations, data flows, and storage — against the eligibility criteria for each SAQ type and produces a documented scoping determination that the organization can present to its acquirer.
For organizations completing SAQ D or preparing for a full QSA assessment, SENTRY managed detection and response provides the continuous monitoring, log management, and documented alert review required by Requirements 10 and 11. CORE managed IT services maintains the infrastructure controls — MFA, patch management, firewall configuration, access control — that SAQ D and QSA assessments evaluate in depth. For a broader view of the compliance program, see PCI-DSS compliance. To discuss your payment environment and determine the correct SAQ type, talk to an Armorstack compliance expert or start the 90-Day Proof.