NEXSYS Knowledge Base | PCI Compliance
One of the most common points of confusion in PCI compliance is the Self-Assessment Questionnaire — specifically, which version applies to your business. Choose the wrong one and you may be either over-complicating your compliance process or, worse, under-reporting your risk exposure.
This article explains what an SAQ is, breaks down each type in plain language, and helps you identify which one fits your business.
A Self-Assessment Questionnaire (SAQ) is an annual self-evaluation tool used by merchants to validate their compliance with PCI DSS. Rather than undergoing a full on-site audit (which is typically only required for large enterprises), most small and mid-sized businesses complete an SAQ to confirm they meet the applicable security requirements.
There are several SAQ types, and which one you need depends entirely on how your business accepts and processes card payments.
Your payment processor may pre-assign an SAQ type to your account. If you're unsure what's been assigned or whether it's correct, contact your NEXSYS representative.
Here's a breakdown of each SAQ type, who it applies to, and what it requires:
SAQ A
Card-Not-Present / Fully Outsourced
Most Common
For merchants who have fully outsourced all card payment processing to a PCI-compliant third party. You never handle, store, or transmit cardholder data yourself — the payment page, terminal, or checkout is entirely managed by an approved provider.
Best For
eCommerce businesses using a hosted checkout (like Stripe, Square, or PayPal), or card-not-present merchants who redirect customers to a third-party payment page.
SAQ A-EP
eCommerce with Partial Outsourcing
Similar to SAQ A, but for eCommerce merchants whose website directly affects how payment data is transmitted to a third-party processor — even if that processor handles the actual transaction. This applies when your website code could intercept or affect cardholder data.
Best For
Online merchants who use an embedded payment form (iFrame or direct API integration) rather than a full redirect to a hosted checkout page.
SAQ B
Imprint Machines or Standalone Dial-Up Terminals
For merchants using standalone, dial-up card terminals that are not connected to the internet or any other system. No electronic cardholder data is stored.
Best For
Businesses using older standalone terminals that connect via phone line, not internet. Rare in modern setups.
SAQ B-IP
Standalone IP-Connected Terminals
For merchants using standalone POS terminals that connect via IP (internet), but do not store cardholder data and are not connected to any other systems or devices on the network.
Best For
Retail or service businesses with a dedicated countertop terminal (like a Dejavoo or PAX device) connected to the internet but isolated from other systems.
SAQ C
Payment Application Connected to the Internet
For merchants whose payment application is connected to the internet but does not store cardholder data. This typically means a point-of-sale system or software that processes transactions online but doesn't retain card numbers.
Best For
Restaurants, retailers, and service businesses using a cloud-connected POS system (like Clover, Toast, or similar) that processes but does not store card data.
SAQ C-VT
Virtual Terminal (Manual Key-Entry)
For merchants who manually key card data into a web-based virtual terminal provided by a payment processor. The virtual terminal is hosted by the processor — you access it through a browser and enter card details manually, but no data is stored on your system.
Best For
Service businesses that take card payments over the phone and key them into an online terminal. Common in healthcare, consulting, and field service industries.
SAQ D
All Other Merchants (Most Comprehensive)
SAQ D is the most comprehensive questionnaire and applies to any merchant that doesn't fit neatly into one of the other categories — particularly those who store cardholder data electronically or have more complex payment environments.
Best For
Merchants who store card data, have complex or custom payment setups, or cannot confirm they meet the criteria for a simpler SAQ type. Also required for all service providers.
SAQ A
You use a fully hosted checkout — customers leave your site to pay, or you use a hosted payment page (redirect)
SAQ A-EP
You have an embedded payment form on your own website that sends data to a third-party processor
SAQ B
You use a standalone dial-up terminal with no internet connection
SAQ B-IP
You use a standalone internet-connected terminal that is isolated from other systems
SAQ C
You use a cloud-connected POS system that processes but does not store card data
SAQ C-VT
You manually key card numbers into a web-based virtual terminal (phone orders)
SAQ D
You store card data, have a complex setup, or don't clearly fit any of the above
⚠️ When in doubt, don't guess. Selecting the wrong SAQ type can leave your business exposed or result in compliance issues with your processor. Reach out to NEXSYS and we'll help you confirm the right one.
Completing the SAQ is a required part of compliance, but it's not the only part. Depending on your merchant level, you may also need to complete quarterly vulnerability scans through an Approved Scanning Vendor (ASV) and submit an Attestation of Compliance (AOC) to your processor annually.
Your NEXSYS account includes access to compliance tools and support to help you complete all required steps — not just the questionnaire.
Not sure which SAQ applies to your account? Contact your NEXSYS representative or reach us at support@nexsyspros.com.