Compliance Requirements

Which SAQ Do I Need? SAQ A vs SAQ D Explained

Choosing the wrong Self-Assessment Questionnaire is the most expensive mistake in PCI compliance. Here is how SAQ A, SAQ D and the in-between types differ — and how to find yours.

Fraud Defence First
27 June 2026
7 min read

If you take card payments, you almost certainly validate PCI compliance with a Self-Assessment Questionnaire (SAQ). But there is no single SAQ — there are several, and picking the wrong one is the single most common and expensive mistake UK merchants make. This guide explains the main types and how to find the one that actually applies to you. For the bigger picture first, see our complete guide to PCI DSS compliance.

What is an SAQ?

An SAQ is a checklist you complete each year to confirm you meet the PCI DSS controls that apply to your business. The fewer ways card data can touch your systems, the shorter and simpler your SAQ. The type you need depends entirely on how you accept payments and whether cardholder data ever reaches your own environment.

SAQ A — the simplest

SAQ A is for merchants who fully outsource payment handling — typically e-commerce businesses using a hosted payment page or iframe where card data goes straight to a PCI-compliant provider and never touches their website or servers. It is by far the shortest questionnaire (around 30 questions) and the cheapest route to compliance. Most small online shops should be on SAQ A.

SAQ A-EP, B, B-IP, C and C-VT — the middle ground

  • SAQ A-EP — e-commerce sites that don't receive card data directly but whose page can affect the payment (e.g. a direct-post integration).
  • SAQ B — standalone dial-out terminals with no electronic card data storage.
  • SAQ B-IP — standalone PCI-approved terminals connected over IP.
  • SAQ C-VT — virtual terminals (manual key entry into a web form) on an isolated computer.
  • SAQ C — payment applications connected to the internet, not storing card data.

SAQ D — the most demanding

SAQ D is the catch-all for everyone who does not fit the other types — most importantly, any business that stores cardholder data or handles it directly in its own systems. It has around 250 questions (251 for merchants under PCI DSS v4.0.1) and covers the full breadth of PCI DSS. It is the right answer for some businesses, but it is also where merchants end up by accident when no one checks whether a simpler SAQ would have been valid.

The costly mistake

Because SAQ D is the 'default' many acquirers point to, businesses that could have completed a 30-question SAQ A often slog through SAQ D's ~250 questions instead — multiplying the time, effort and cost of compliance, sometimes by an order of magnitude. The fix is simple: map how card data flows through your business before you pick an SAQ. If you are not sure which applies, our free self-service assessment will point you to the right one in minutes.

Closely related: whether you even need PCI at all if you only use a terminal — see do I need PCI compliance if I only use a card machine? — and how much PCI compliance costs in the UK.

Find out which SAQ you need — talk to a specialist

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources