Frequently Asked Question

PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for use by SAQ-eligible merchants and service providers to perform and report the results of their PCI DSS self-assessments. There are several different SAQs, developed for specific types of environments as defined in each SAQ’s eligibility criteria.

Each SAQ contains a "Completing the Self-Assessment Questionnaire" section, which outlines the type of environment that the SAQ is intended for. All the eligibility criteria for a particular SAQ must be met to use that SAQ.

Additional guidance is also provided in PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, available in the Document Library.

Merchants should consult with their compliance-accepting entity - the entity to which the SAQ will be submitted (typically, an acquirer (merchant bank) or a payment brand) to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

SAQ D for Service Providers is the ONLY SAQ for SAQ-eligible service providers. All other SAQs are for merchant use only.

Refer to FAQ 1133: Why are there multiple PCI DSS Self-Assessment Questionnaires (SAQs)?