Understanding Self Assessment Questionnaire Eligibility

The PCI-DSS (Payment Card Industry Data Security Standard) are technical and operational requirements designed to protect cardholder data. These requirements apply to all organizations who store, process and transmit cardholder account data.

There are a total of 12 individual requirements which can be further broken down into sub-requirements. These requirements are designed to increase overall security of legitimate card transactions. Protecting this account data from exposure limits the possibility that the data will be used in subsequent fraudulent transactions. Failure to comply with PCI compliance protocols can lead to a data breach event as well as large fines and assessments for PCI non-compliance.

One such requirement for certain organizations is the need for PCI onsite assessments, also known as Level 1 Report on Compliance (ROC) audits. Depending on transactional volume and other factors, certain merchants may be eligible to complete a Self Assessment Questionnaire (SAQ). Other merchants may be required to validate using a Third Party Qualified Security Assessor (QSA). These QSA resources will assist in completing a full PCI validation and developing a signed and detailed Report on Compliance (ROC). This guide discusses whether or not SAQ eligibility can be used for determining the applicability of PCI DSS requirements for onsite assessments.

What is SAQ eligibility?

A self assessment questionnaire is a validation tool that can assist merchants with identifying PCI-DSS requirements that may be applicable to the specific processing environment. This document is used to report the results of the PCI-DSS self assessment. The PCI-DSS has created seven different SAQ versions, each with its own eligibility criteria. Prior to completing the document, entities should ensure they meet all eligibility for the SAQ and contact the acquiring bank to confirm the SAQ is appropriate for the processing environment. Entities that are defined as service providers must complete the SAQ D-SP for service providers.

The SAQ levels are defined as follows, according to the PCI-SSC:

  • A: Card-not-present merchants (e-commerce and mail/telephone orders) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    -Not applicable to face-to-face channels.
  • A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website that does not directly receive cardholder data but that can impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    -Applicable only to e-commerce channels.
  • B: Merchants using only:
    -Imprint machines with no electronic cardholder data storage; and/or
    -Standalone, dial-out terminals with no electronic cardholder data storage.
    -Not applicable to e-commerce channels.
  • B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
    -Not applicable to e-commerce channels.
  • C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. There is no electronic cardholder data storage.
    -Not applicable to e-commerce channels.
  • C: Merchants with payment application systems connected to the Internet, but without electronic cardholder data storage.
    -Not applicable to e-commerce channels.
  • P2PE-HW: Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
    -Not applicable to e-commerce channels.
  • D: SAQ D is divided by merchant and service provider:
    -SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
    -SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.

Can SAQ eligibility be used to determine onsite assessments?

Validating entities that meet defined eligibility criteria for an SAQ can use that questionaire to validate PCI compliance. Differing SAQ levels will require the merchant to validate a different set of PCI requirements using a risk-based approach. Merchants and other validating entities should confirm the proper SAQ and validation method. Certain entities that do not qualify for an SAQ (or are directed by the acquiring bank) will be required to complete an onsite assessment with a PCI-DSS certified QSA who can produce and sign the ROC.

Assessors can use Section 3 of the ROC to clearly document the approach taken to confirm the scope is accurately defined and that a validating entity would meet the criteria for a specific SAQ. For each eligibility criteria, an assessor must verify that the criteria is met and provide documentation of how eligibility was verified. This includes performing the necessary independent testing and validation that any requirements listed N/A are, in fact, truly not-applicable to the specific validating entity. When completing the ROC, any requirements deemed N/A must be reported as “not applicable” when completing Section 6 of the ROC in the “summary of assessor findings” section.

A specific SAQ can only be used as a guide to the applicability of requirements if the validating entity meets ALL of the criteria specified for that SAQ. If the entity only partially meets the criteria, then the SAQ cannot be used to guide the validation in the manner described above.

How do PCI DSS onsite requirements vary by merchant level?

Merchants are defined as different levels based on transactional volume and/or history of data breaches.The thresholds for the merchant levels are defined by the individual card brands, and the volume is determined by the acquiring bank. Merchants that are defined as Level 1 (the highest level) are required to perform an onsite PCI validation utilizing a third party QSA to to complete an annual ROC. This ROC must be completed and submitted on an annual basis. Merchants that are defined as level 2, 3 or 4 are eligible to complete a SAQ and perform a self assessment without needing to hire a third party QSA for an onsite assessment.

As an example, the Visa merchant levels are defined as follows. (Transaction volume represents the number of Visa transactions processed over a 12 month period.)

  • Level 1: Merchants with over 6 million transactions a year across all channels or any merchant that has had a data breach.
  • Level 2: Merchants with 1 million - 6 million transactions annually across all channels.
  • Level 3: Merchants with 20,000 - 1 million online transactions annually.
  • Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year.


Independent software vendors and merchants must make sure to comply with PCI compliance protocols, including any required SAQs or onsite assessments. Failure to comply with PCI compliance protocols can lead to a data breach as well as large fines. Contact us today to learn more about PCI compliance requirements.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena