If your business, organisation or contact centre processes fewer than 6 million transactions annually, you may be able to ensure PCI DSS (Payment Card Industry Data Security Standards) compliance via a Self-Assessment Questionnaire (SAQ).

The type of assessment you must undergo will vary according to your merchant level, but if you are at a level which allows for SAQ submission instead of a full, formal audit each year, you will need to deliver your SAQ and Attestation of Compliance (AoC) via a responsible party at your business – typically your chief financial officer (CFO).

This may all sound like a lot of acronyms (and, yes, it is!) but in essence, these self-assessments are all about ensuring your organisation and clients are as protected as possible from the risk of data breaches and fraud. Failing to get your SAQ right can seriously endanger your business and place customer details at risk, which is why it’s so important to take SAQs seriously, and complete them correctly.

Choosing the Right SAQ for Your Business

The very first step towards correct completion is to choose the right SAQ in the first place. Because organisations come in all shapes and sizes, one size doesn’t fit all. This is why a range of SAQs has been developed to suit a variety of business types.

This simple guide will help you identify which SAQ is right for you, setting you on the right track…


  • Who is it for?
    “Card not present merchants” including contact centres, ecommerce businesses and mail order companies which outsource cardholder data processing functions to a PCI compliant 3rd party service provider. This means that these businesses never deal with cardholder data at any point.
  • Actions required
    • Paper copies of cardholder data must be destroyed or protected.
    • Details of 3rd party service providers must be kept.
    • Compliance of 3rd party services must be monitored.


  • Who is it for?
    Ecommerce merchants which partially outsource payment processing to a PCI-compliant 3rd party service provider. Depending on the merchant’s payment process (for example, if some parts of the payment form are completed on the merchant’s site before the customer is redirected to a 3rd party payment gateway) this type of SAQ may be applicable.
  • Actions required
    • Any ecommerce merchant formerly using SAQ A should read guidelines to identify whether they should now complete the new SAQ A-EP form instead.


  • Who is it for?
    Merchants processing payments via standalone terminals or imprint-only machines who do not use electronic cardholder data storage.
  • Actions required
    • Completion of SAQ B form, particularly to ensure terminals (which can now connect via BlueTooth, Ethernet and GSM/LTE) are isolated from networks and therefore not putting cardholder data at risk.


  • Who is it for?
    Merchants without electronic cardholder data storage who process payments via standalone PTS-approved point-of-interaction (POI) devices which have IP connections to payment processors. This type of transaction can take place in person or via the phone or post.
  • Actions required
    • Completion of SAQ B-IP form, particularly to ensure POI devices are isolated from other networks.
    • Paper merchant receipts must be the only type of cardholder data retained.


  • Who is it for?
    Merchants without electronic cardholder data storage who take payment via an internet connected application. These are usually widely used pieces of software connected to a standalone machine, operated by small, “bricks and mortar” businesses.
  • Actions required
    • Completion of SAQ C form, particularly to ensure the technology used to enter cardholder details is isolated from other networks and is strongly protected.


  • Who is it for?
    Merchants processing card data via PCI SSC-listed, P2PE (Point-to-Point Encryption) payment terminals. This can include physical and remote transactions.
  • Actions required
    • Completion of SAQ P2PE form.
    • All data must be entered via a validated P2PE hardware device.


  • Who is it for?
    Service providers and merchants who do not meet the criteria for any of the above questionnaires.
  • Actions required
    • Completion of SAQ D which includes all 200 PCI DSS requirements, marking non-applicable sections with caution.

Do you know which SAQ you need to complete? We specialise in PCI solutions for contact centres, helping to make compliance simpler through a range of hassle-free third party services. For more information, advice and assistance, please contact our expert consultants today.

This guide is the fourth chapter of our eBook ‘Starting Your PCI Compliance Journey‘.