For merchants who outsource all cardholder data processing to PCI DSS-compliant third parties. No electronic storage, processing, or transmission of cardholder data on your systems. Any retained data must be on paper (e.g., receipts).

E-commerce or mail/telephone order (MOTO) transactions where cards are not present.

Must fully outsource to validated providers; no electronic data handling allowed. Shortest SAQ.

Similar to SAQ A, but for e-commerce where you control the redirection to the third-party processor (e.g., your website handles the initial data entry page). No electronic storage on your systems.

E-commerce transactions only

Outsourcing required except for the data ingestion page; no electronic data storage.

For merchants using imprint machines or standalone dial-out terminals (connected via phone line to processor). No electronic storage of cardholder data.

Brick-and-mortar (card-present) or MOTO environments.

Limited to specific hardware; no internet-connected systems or electronic storage.

For merchants using standalone, PIN Transaction Security (PTS)-approved point-of-interaction (POI) devices with IP connection to the processor. No electronic storage.

Brick-and-mortar or MOTO.

Devices must be PTS-approved and isolated; no other electronic data handling.

For merchants with payment application systems (e.g., POS) connected to the internet, but no electronic storage of cardholder data.

Brick-and-mortar or MOTO with internet-connected apps.

Systems must not store data electronically; requires segmentation from other networks.

For merchants using third-party virtual terminals on an isolated computing device (e.g., entering single transactions via keyboard). No electronic storage.

Brick-and-mortar or MOTO with virtual terminals.

Device must be isolated; hosted by validated provider; manual entry only.

For merchants using validated Point-to-Point Encryption (P2PE) solutions (hardware-based) to encrypt data from entry to processor. No electronic storage of unencrypted data.

Brick-and-mortar or MOTO with P2PE terminals.

Solution must be PCI-listed and validated; reduces scope significantly.

The full questionnaire for merchants or service providers who don't qualify for other SAQs. Covers all PCI DSS requirements; allows electronic storage if compliant.

Any scenario not covered above, including those with electronic storage or custom setups.

Catch-all option; separate versions for merchants (SAQ D-Merchant) and service providers (SAQ D-Service Provider). Longest and most comprehensive SAQ.