Which SAQ do you need to use?
The way you handle cardholder data determines the Self-Assessment Questionnaire (SAQ) that you need to use. Please read through all the options below and select the way(s) you handle cardholder data:

You outsource all your cardholder data functions to 3rd parties
Select this option if you
  • only process card-not-present transactions
  • do not store cardholder data on any systems
  • only retain paper copies of cardholder data and do not store cardholder data electronically
  • have verified that all your 3rd party service providers that handle cardholder data for you are PCI DSS compliant
Note: This option would never apply to merchants with a face-to-face POS environment.

You use imprint or stand-alone dial-out terminals only
Select this option if you
  • use imprint machines or standalone dial-out terminals that are not connected to any other systems or the internet, but connected via phone line to your processor or acquirer
  • do not send cardholder data over the internet
  • only retain paper copies of cardholder data and do not store cardholder data electronically

You use a web-based virtual terminal to enter cardholder data directly at a 3rd party website
Select this option if you
  • use a virtual terminal that is provided and hosted by a PCI DSS validated service provider that you access using a web browser
  • use a computer to connect to the virtual terminal and that computer is not connected to any other systems within the environment (can be separated with network segmentation)
  • have no hardware or software in your environment that captures or stores cardholder data
  • do not transmit cardholder data in any other way
  • only retain paper copies of cardholder data and do not store cardholder data electronically
Note: This option would never apply to e-commerce merchants.

You use a payment application that is connected to the internet and that runs at your location
Select this option if you
  • use a POS or payment system that is connected to the internet but not to any other systems
  • only retain paper copies of cardholder data and do not store cardholder data electronically
  • use a POS vendor that provides secure support for the POS software
  • use an eCommerce application that accepts cardholder data (instead of redirecting the user to a 3rd party website to enter payment information) and then passes it onto a payment processor or gateway

You are a Level 2 Service Provider or a merchant that handles cardholder data in any other way
Select this option if you
  • did not check any of the previous options
  • checked more than one option


If you are a business or organization that stores, process or transmits credit cards from any of the five card brands that make up the PCI SSC (Amex, Discover, JCB, MasterCard or Visa) you will be subject to PCI DSS, irrespective of the number of transactions.

If you are a Level 2,3 or 4 merchant or Level 2 service provider, you may be able to complete a Self-Assessment Questionnaire (SAQ).
Note: Organizations based in Canada will still need to get a PCI QSA to verify their SAQ.

Find your PCI compliance level