SentinelPanda
Sign in Start free

Which PCI SAQ type applies to you?

January 22, 2026

The right SAQ depends entirely on how you handle card data. Pick the wrong one and you either over-report or, worse, under-scope.

SAQ A — fully outsourced e-commerce

You take card payments online but every payment page element is served and handled by a PCI-compliant third party (a hosted payment page or full redirect). You never touch, store, or transmit cardholder data. SAQ A is the shortest questionnaire — but it only applies if the outsourcing is total.

SAQ A-EP — e-commerce that partially controls the page

Your website does not receive cardholder data but does affect how it is collected — for example, a direct-post or iframe setup where your page orchestrates the payment. A-EP is substantially longer than A because your site is in scope for script and integrity controls.

SAQ B and B-IP — standalone terminals

B covers standalone, dial-out terminals or imprint machines with no electronic cardholder-data storage. B-IP covers standalone, PTS-approved point-of-interaction terminals with an IP connection. Both are for merchants with no e-commerce and no card storage.

SAQ C and C-VT — payment applications and virtual terminals

C is for merchants with a payment application connected to the internet but no card storage. C-VT is for merchants who key transactions into a web-based virtual terminal on an isolated computer. The distinguishing question is whether you run an application or use a hosted virtual terminal.

SAQ P2PE — validated point-to-point encryption

If you use a PCI-listed P2PE solution, the P2PE SAQ is dramatically shorter because the encryption is handled within a validated solution and your environment never sees clear cardholder data.

SAQ D — everyone else

SAQ D-Merchant and SAQ D-Service Provider are the comprehensive questionnaires for anyone who stores cardholder data or does not fit the categories above. D is the longest, closest to a full Report on Compliance in coverage.

How to choose

Start from one question: where does cardholder data go, and does your environment ever see it in the clear? Outsource everything and you may qualify for A or P2PE; store or process it yourself and you are heading toward D. SentinelPanda auto-detects the applicable SAQ from your scope answers and produces a readiness report against it.

Related
PCI DSS compliance software PCI DSS 4.0.1: what changed

Run your compliance program in one workspace.

Start free