Which PCI DSS SAQ do I use?

If you’re looking to use a PCI DSS SAQ, this implies you’re eligible to assess your PCI DSS compliance using a Self Assessment Questionnaire.


Can I use a PCI SAQ?

Eligibility for this is determined by the card brands themselves, rather than the PCI Security Standards Council. This is ultimately determined by what level the card brands assign to your business; these articles detail the current rules around assessment levels for merchants and service providers.

What’s the correct PCI SAQ for my business?

Once you’ve confirmed that you are eligible to use a Self Assessment Questionnaire, you need to determine which one. If you’re a service provider, then the answer is very straightforward: you use the SAQ D for Service Providers.

If you’re not a service provider, then as a merchant you have a number of choices available to you. There are currently 8 different SAQs for merchants, including SAQ D for Merchants which is the general one for any merchant that isn’t covered by something more specific.

The PCI Security Standards Council publish a guidance document to help you choose which particular merchant SAQ you should use. Jump straight to page 18 of PCI DSS Self-Assessment Questionnaire Instructions and Guidelines for a diagram that will help you choose the correct SAQ for your business.

Where do I get a corresponding AOC?

Once you’ve completed the SAQ, you also need to generate an Attestation of Compliance (AOC). Links to download the AOC template corresponding to each SAQ are available here.