What is a Self-Assessment Questionnaire (SAQ)?

An SAQ is a validation tool for merchants who are not required to undergo a full on-site assessment. There are several types (A, A-EP, B, B-IP, C, C-VT, P2PE, and D), each matched to how you accept and handle card data. Choosing the right one is the first compliance step.

How is my merchant level determined?

Merchant level is set by annual card transaction volume per brand. Roughly, Level 1 is over 6 million transactions a year, Level 2 is 1 to 6 million, Level 3 is 20,000 to 1 million e-commerce, and Level 4 is everything below. Level 1 requires an on-site assessment by a QSA.

What is the cardholder data environment (CDE)?

The CDE is every system component that stores, processes, or transmits cardholder data, plus anything connected to or that could affect the security of those systems. Reducing the CDE through segmentation and outsourcing is the most effective way to cut compliance cost.

How does SAQ A reduce my scope the most?

SAQ A applies when you fully outsource cardholder data handling to a PCI-compliant third party and your site never touches card data, for example a redirect or fully hosted payment page. It has the fewest requirements because your systems are outside the CDE.

Is PCI DSS v4.0 different from v3.2.1?

Yes. v4.0 became mandatory in 2024 and adds requirements around authentication, targeted risk analysis, and stronger e-commerce script and phishing protections. The SAQ types remain, but several questionnaires have new and more demanding controls.

PCI DSS Scope Reduction Tool

The cost of PCI DSS compliance is driven almost entirely by scope: how much of your environment touches cardholder data. This tool asks a handful of structured questions about how you accept payments and whether you store card data, then returns the Self-Assessment Questionnaire type you most likely qualify for, your merchant level, and practical scope-reduction moves.

How it works

Two factors dominate the result:

Do your systems ever touch card data? If a fully hosted or redirect payment page keeps cardholder data off your servers entirely, you fall into the lightest questionnaire, SAQ A.
Channel and integration. Card-present, virtual terminal, direct-post e-commerce, and full storage each map to a different SAQ.

No card data on your systems + hosted/redirect page  → SAQ A
E-commerce with embedded/direct-post elements        → SAQ A-EP
Card-present, standalone PTS terminal, no storage    → SAQ B
Virtual terminal only                                → SAQ C-VT
You store, process, or transmit card data yourself   → SAQ D

Merchant level is then read from your annual transaction volume, and Level 1 volumes trigger a full on-site assessment by a Qualified Security Assessor.

Cutting scope

The fastest scope reductions are outsourcing the payment page to a compliant provider (move from SAQ D toward SAQ A), network segmentation to isolate any remaining CDE systems, and never storing the full PAN or any sensitive authentication data after authorisation. Each of these removes systems from the CDE and therefore removes requirements from your SAQ.