Access Management

PCI DSS Assessment: What You Need To Know

Minu Joseph
Product Marketer, Zluri
June 13, 2025
8 MIn read
Table of Contents
This is also a heading
This is a heading
About the author

Minu is a product marketer with dynamic digital marketing support and a background in journalism. She has a comprehensive understanding of B2B marketing strategy and content writing.

What does it take to meet PCI DSS standards? To answer this, you need to assess your organization’s security policies and procedures. Therefore, the first step is to conduct a proper PCI DSS assessment for your organization. This article provides an in-depth examination of PCI DSS assessments.

With the increasing number of cyber threats also come the risks of data breaches and non-compliance with regulations. These can result in stolen data (such as payment card information), substantial fines, and damage to an organization’s reputation.

The goal of the PCI DSS is to help your organization better protect cardholder data. One potential challenge is making sure your organization is PCI DSS compliant. As an IT manager, you will face a daunting task in locating and resolving these compliance problems.

This is why the PCI DSS assessment is necessary. Every organization handling cardholder data needs to determine its compliance requirements. But is it the same for all types of organizations? The answer is No. If your organization is mid to large-sized, a more detailed PCI DSS assessment is required. This involves an on-site assessment by a Qualified Security Assessor (QSA).

On the other hand, if your organization is small to medium-sized, you need to follow a simpler version of the standards, known as the Self-Assessment Questionnaire (SAQ). To meet these requirements, you need to conduct an internal assessment.

Note: The SAQ involves evaluating and documenting internal compliance without the assistance of a QSA.

Let’s learn about both types of PCI DSS assessments in detail.

Two Types of PCI DSS Assessments

The type of PCI DSS assessment that your organization needs depends on which PCI DSS level it falls under. Moreover, the PCI DSS levels are based on your transaction volume and the potential risks your organization might face.

1. On-site Assessment

An on-site assessment is required if your organization falls under PCI DSS Level 1. This level applies to organizations that process over 6 million card transactions annually or are prone to high risk due to data breaches. These organizations might include global e-commerce companies, large retail chains, or payment processors, provided they are eligible.

While conducting this type of PCI DSS assessment, a Qualified Security Assessor (QSA) (who is an external auditor) is involved. They will perform a detailed review of your organization’s systems, processes, and policies (if your organization falls under the category mentioned above).

Note: The primary goal of this assessment is to comply with the 12 PCI DSS requirements.

Once this assessment is completed, the QSA will provide your organization with an Attestation of Compliance (AoC) and a Report on Compliance (RoC). This will serve as a certification that your organization meets the required standard.

Cost of On-site assessment: The cost of this assessment ranges from $20,000 to $100,000 or more. However, this cost depends on the complexity of your IT infrastructure and the scope of the review. However, the RoC is a mandatory document if your organization comes under Level 1 and serves as proof of compliance.

2. Internal Assessment

This type of PCI DSS assessment is designed for organizations that fall under PCI DSS Levels 2, 3, and 4. These levels primarily encompass organizations with fewer transactions (less than 6 million annually). 

For this assessment, you do not need to hire a QSA. An internal team within your organization can conduct this, guided by a self-assessment questionnaire (SAQ). 

Note: The PCI SAQ is a subset of PCI DSS requirements, helping you assess your organization's security posture.

Cost of Internal Assessment: It is lower compared to an on-site assessment, as your organization manages the process internally with its team. However, if your organization requires some external help, then the consulting fees can be $1,000 to $10,000 (depending upon the level of assistance needed).

Imagine that you have determined your organization needs to perform an internal assessment, guided by the volume of transactions and PCI SAQs. However, there are 8 different types of SAQs. Now, it's essential to understand which SAQ type will best suit your organization. Let’s find out in detail.

Types of PCI DSS Self-Assessment Questionnaire (SAQs)

| Type of SAQ | Type of Organization | Account Data Scope | Electronic Account Data Storage Allowed | |:------------: |:--------------------------------------------------------------------: |:--------------------------------------------------: |:----------------------------------------: | | SAQ A | E-commerce, service providers | Card-not-present transactions | No storage of cardholder data | | SAQ A -EP | E-commerce, service providers | Card-not-present transactions with a website | No storage of cardholder data | | SAQ B | Mail order/telephone order | Card-present transactions | No electronic storage of account data | | SAQ B -IP | Mail order/telephone order | Card-present transactions via IP-connected devices | No electronic storage of account data | | SAQ C | Retail, small organizations | Card-present transactions | Limited electronic storage of card data | | SAQ C -VT | Retail, small organizations | Virtual terminal transactions | Limited electronic storage of card data | | SAQ P2PE -HW | Any organization using a point-to-point encryption hardware solution | Card-present transactions | Only P2PE-encrypted storage of card data | | SAQ D | Large organizations, service providers | All types of transactions, including e-commerce | Storage of cardholder data allowed |

Here is the list of all the types of SAQ that will help you choose the one that is suitable for your organization.

1. SAQ A

Conducting a PCI DSS assessment for this type of SAQ is for organizations that handle payments but have minimal interaction with sensitive payment card data. This means your organization will qualify for this if it processes payments through third-party service providers.

Who qualifies for SAQ A?

  • All cardholder data is handled exclusively by trusted third-party vendors, such as payment gateways.
  • Your website does not collect or store payment details directly from customers.
  • Maintain limited responsibility for securing payment systems.

For example, an organization that uses a payment gateway to handle transactions qualifies. This makes SAQ A an ideal choice for your organization if it has outsourced payment processing.

In addition, to qualify for SAQ, your organization is required to confirm that:

  • Cardholder data is not stored on their systems.
  • Their third-party vendors meet PCI DSS compliance requirements.
  • Any redirection or frame used for payment is secure.

2. SAQ A -EP

For SAQA-EPP, you can conduct a PCI DSS compliance assessment if your organization is involved in online payment processing. It applies to organizations that will outsource their payment transactions but still have some technical responsibilities. 

SAQ A-EP is for merchants who rely on third-party payment processors but manage their websites. These websites facilitate the initial connection, redirecting individuals to the payment provider. This will ensure that your organization secures the environment to protect payment data during the redirection process.

Eligibility criteria for SAQ A-EP include:

  • Using third-party services for payment processing.
  • Maintaining a website that directly interacts with cardholder data redirection.
  • Ensuring the website is hosted securely to prevent tampering.

Key requirements of this PCI DSS assessment involve:

  • Implementing robust security measures for the website, including firewalls and encryption.
  • Regularly testing for vulnerabilities and ensuring secure configurations.
  • Ensuring third-party service providers meet PCI DSS standards.
  • Monitoring for and preventing unauthorized access to web systems.

3. SAQ B

SAQ B, a PCI DSS assessment, is for those organizations that process card payments using standalone payment terminals. These terminals must not connect to the internet or store cardholder data electronically. Thus, conducting a PCI DSS assessment will help ensure that basic security requirements are met without requiring many complex compliance measures.

The eligibility criteria for SAQ B are:

  • Using standalone terminals connected through phone lines or similar methods.
  • Avoiding any storage of cardholder data in digital systems.
  • Ensuring that no electronic payment systems connect to the internet.

Moreover, this PCI DSS assessment helps organizations to verify:

  • Physical security of payment terminals to prevent tampering.
  • Secure communication channels, such as phone lines, for transactions.
  • Regular inspection of payment devices for signs of compromise.
  • Policies and procedures to handle cardholder data securely.

4. SAQ B -IP

You can perform a PCI DSS assessment for SAQ B - IP (SAQ B - Internet Protocol) if your organization uses payment terminals connected to the internet. These terminals process transactions securely through a PCI DSS-compliant service provider. Thus, performing SAQ B-IP will help to ensure that you take preventive steps to secure your organization’s environment.

Now, let’s see the eligibility criteria for conducting a PCI DSS assessment for SAQ B-IP.

  • Using payment terminals that have IP connections for the card transactions.
  • Relying on PCI DSS-compliant service providers for processing.
  • Ensuring the terminals do not store sensitive cardholder data.

Also, this PCI DSS assessment focuses on: 

  • Protecting terminals against unauthorized access
  • Ensuring secure communication of payment data using encryption
  • Verifying that the service provider handling transactions is compliant
  • Maintaining physical and logical security for payment devices

5. SAQ C

For SAQ C, perform a PCI DSS assessment if your organization processes payments through connected systems while maintaining limited access to sensitive data. These systems handle transactions but do not store sensitive card data. 

For conducting a PCI DSS assessment for SAQ C, the eligibility criteria include:

  • Using internet-connected payment systems for processing cardholder data.
  • Not storing cardholder data electronically after transactions.
  • Securing their payment systems and networks to prevent breaches.

By performing this PCI DSS security assessment, you can ensure that your organization secures the network and payment environment to meet PCI DSS requirements.

Also, this PCI DSS self-assessment questionnaire focuses on:

  • Encrypting cardholder data during transmission to prevent unauthorized access.
  • Regularly testing payment systems and network security.
  • Using strong firewalls and access controls to protect the environment.
  • Ensuring third-party payment processors comply with PCI DSS standards.

Now, suppose your organization operates in multiple locations. Each location uses a payment system connected to the internet to process payments. These systems send cardholder data to a secure payment processor without storing it locally. 

Your team ensures the payment systems are up-to-date, encrypted, and isolated from other networks. They also conduct vulnerability scans and verify the compliance of the payment processor. These steps help your organization meet SAQ C requirements.

6. SAQ C -VT

You need to perform a PCI DSS assessment for SAQ C-VT (Self-Assessment Questionnaire C – Virtual Terminal) if your organization processes cardholder data using a virtual terminal. A virtual terminal is a web-based interface provided by a third-party payment processor. 

This type of SAQ ensures that your organization secures its systems when handling card payments. Here are the eligibility criteria for SAQ C - VT.

  • Using a virtual terminal provided by a PCI DSS-compliant service provider.
  • Processing payments through a computer or device solely used for this purpose.
  • Ensuring that no sensitive cardholder data is stored in digital form.

Moreover, SAQ C-VT focuses on:

  • Use secure connections, such as HTTPS, to access the virtual terminal.
  • Limiting access to devices used exclusively for processing payments.
  • Ensure the computer or device is protected with antivirus software and firewalls.
  • Restricting physical and network access to the device to prevent tampering or unauthorized use.

Imagine your organization has a subscription for a SaaS app and processes the subscription payment through a single, dedicated system. Your team uses this system to access a virtual terminal provided by a PCI DSS-compliant payment processor. 

This system has antivirus software installed and is restricted from accessing other networks or applications. Your team regularly updates the system and ensures secure access to the terminal. These steps align with SAQ C-VT requirements.

7. SAQ P2PE -HW

You can conduct a PCI DSS assessment for SAQ Point-to-Point Encryption Hardware (SAQ P2PE -HW) if your organization uses validated point-to-point encryption (P2PE) solutions. This will ensure that your organization meets PCI DSS requirements with simplified compliance steps.

Eligibility for conducting PCI DSS assessment for SAQ P2PE requires:

  • Using only P2PE-approved devices for payment processing.
  • Not storing cardholder data electronically within your organization.
  • Relying on the P2PE solution provider to manage encryption and key handling.

SAQ P2PE -HW focuses on:

  • Ensuring that all payment devices are part of a validated Point-to-Point Encryption (P2PE) solution.
  • Maintaining the physical security of the devices to prevent tampering.
  • Follow documented procedures provided by the P2PE vendor.
  • Conducting regular inspections to ensure the devices remain secure.

Overall, SAQ P2PE-HW simplifies PCI DSS compliance for your organization if it uses secure, validated payment devices. 

8. SAQ D

To meet SAQ D, you need to conduct a PCI DSS assessment if your organization processes, stores, or transmits cardholder data in complex environments. This will ensure that these organizations meet all the applicable requirements.

The eligibility criteria for performing a PCI DSS assessment for SAQ D are

  • Storing, processing, or transmitting cardholder data electronically.
  • Using complex IT systems, such as multi-point integrations or in-house payment solutions.
  • Handling scenarios not covered by simpler SAQ types, like P2PE or virtual terminals.

Key areas that SAQ D focuses on:

  • Securing cardholder data at rest and in transit through encryption and secure storage practices.
  • Implementing strong access controls and restricting access to sensitive data.
  • Regularly testing network security and running vulnerability scans.
  • Monitoring and logging access to cardholder data systems.
  • Ensuring third-party service providers meet PCI DSS requirements.

By following this PCI DSS assessment, your organization can protect sensitive data, reduce risks, and build customer trust.

Steps to Perform the PCI DSS Self-Assessment Questionnaire

Below are the steps to complete the PCI DSS assessment process.

Step 1: Determine your PCI DSS Level

The first step is to understand and identify your PCI DSS level. This will depend on the volume of card transactions your organization processes annually. Thus, knowing your level will guide you in determining which PCI DSS assessment you need to complete.

Step 2: Complete the self-assessment questionnaire

Choose the correct SAQ based on your PCI DSS level and complete it thoroughly. This questionnaire helps assess your security measures against PCI DSS requirements. 

Note: Ensure that you answer all questions correctly during the PCI DSS assessment.

Step 3: Gather your supporting documentation

Collect all relevant documentation to support your SAQ answers. This may include your company’s security policies, network diagrams, access control logs, and any evidence of security practices (like firewalls or encryption).

Step 4: Submit your SAQ and documentation

Once the SAQ is completed and all supporting documents are gathered, submit the entire package to your acquiring bank or payment card brand. Some banks or brands may have specific submission instructions, so it’s essential to confirm the process with them.

Step 5: Await confirmation of compliance

After submission, the acquiring bank or payment card brand will review your materials. If your SAQ and documentation meet the requirements, you will receive confirmation of PCI DSS compliance.

Step 6: Address non-compliance issue (if any)

If your SAQ is found to have gaps or non-compliance, you will be required to provide additional clarification or make necessary changes. Thus, work with your security team to resolve any issues efficiently.

Step 7: Maintain your ongoing compliance

You must continuously monitor and maintain your security measures to stay compliant. To achieve this, you need to regularly review your security protocols and perform periodic scans and assessments.

Simplify your PCI DSS Assessment Process

Regardless of whether your organization qualifies for SAQ A or SAQ D, compliance with PCI DSS is mandatory. It requires meeting strict security standards to protect cardholder data, including implementing security controls, encrypting account data, and controlling access to sensitive data. But how do you simplify this?

For instance, if you want to implement access control, you need to review your users’ access and remediate the unnecessary access. To streamline this process, you can leverage tools like Zluri. Zluri offers an access review solution that allows you to create access certifications for reviewing access.

The platform gives you clear visibility into who can access your systems and data. This ensures that only authorized individuals have access, helping your organization meet PCI DSS requirements.

But how can you prove your PCI compliance? Zluri simplifies this by providing an access review report. This report includes key details such as users, their roles in applications, review status, remediation actions, and more. These insights enable auditors to more effectively evaluate user access, demonstrating your commitment to compliance with PCI DSS.

Now, let’s take Intune as an example to see how you can automate access review in Zluri.

Also Read: If you want to meet the PCI DSS requirements, you can go through 12 PCI DSS Compliance Checklists.

Frequently Asked Questions (FAQs)

1. What is a PCI SAQ?

A PCI Self-Assessment Questionnaire (SAQ) is a subset of the PCI DSS compliance standard that requires an internal team to conduct the assessment. A merchant or service provider can only qualify for SAQ if it falls under PCI DSS Level 2, 3, or 4.

2. What is SAQ D for service providers?

SAQ D applies to service providers who handle cardholder data for merchants. This includes hosting, payment processing, and data storage. These providers must demonstrate that they follow PCI DSS by maintaining the security of stored data, protecting networks, and controlling access. 

3. How frequently do you need to complete the PCI SAQ?

Payment brands determine how frequently businesses must complete PCI SAQs. For Level 2-4 organizations, this happens once a year.

4. What is an electronic cardholder?

An electronic cardholder owns a digital version of a payment card, such as a credit or debit card, to facilitate electronic transactions. These cardholders keep their card details safe in digital wallets or payment systems.  This allows you to a quick and safe online purchases and payments.

5. What is a real life example of credit card fraud?

Credit card fraud happens in many ways includes:

  • Someone might take over your account
  • open a new account in your name
  • clone your card
  • use your card details without having the actual card 

Often attackers get your information through methods like phishing or skimming. 

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

Rohit Rao
August 4, 2025
August 4, 2025

Top 12 User Access Review Software in 2025

Ritish Reddy
August 3, 2025
August 3, 2025

How Next-Gen IGA Addresses The Shortcomings Of Legacy IGA

Sethu Meenakshisundaram
August 2, 2025
August 2, 2025

Role Of Contextual Risk Insights In Identity Governance

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
Recognition
Platform
SaaS Management
Access Management
Access Reviews
Access Requests
Integrations
Compliance Readiness
SOC2
ISO 27001
HIPAA
SOX ITGC
PCI DSS
Why Zluri
Customer Stories
Product Tours
ROI Calculator
Solutions
Identity & Application Visibility
Uncover Shadow IT
Monitor AI Apps
Access Requests
Identity Lifecycle Management
Access Reviews
Resources
Blogs
Whitepapers
Webinars
Help Docs
Support
Trust Center
Sitemap
Company
Our Story
Careers
Events
Partners
Security
Contact Us
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms
Webinar

Product Spotlight ft. Gen AI Discovery, Proactive Access Governance, and more

Watch Now!
Button Quote
Featured
Access Management

PCI DSS Assessment: What You Need To Know

Minu Joseph
June 13, 2025
SHARE ON :

What does it take to meet PCI DSS standards? To answer this, you need to assess your organization’s security policies and procedures. Therefore, the first step is to conduct a proper PCI DSS assessment for your organization. This article provides an in-depth examination of PCI DSS assessments.

With the increasing number of cyber threats also come the risks of data breaches and non-compliance with regulations. These can result in stolen data (such as payment card information), substantial fines, and damage to an organization’s reputation.

The goal of the PCI DSS is to help your organization better protect cardholder data. One potential challenge is making sure your organization is PCI DSS compliant. As an IT manager, you will face a daunting task in locating and resolving these compliance problems.

This is why the PCI DSS assessment is necessary. Every organization handling cardholder data needs to determine its compliance requirements. But is it the same for all types of organizations? The answer is No. If your organization is mid to large-sized, a more detailed PCI DSS assessment is required. This involves an on-site assessment by a Qualified Security Assessor (QSA).

On the other hand, if your organization is small to medium-sized, you need to follow a simpler version of the standards, known as the Self-Assessment Questionnaire (SAQ). To meet these requirements, you need to conduct an internal assessment.

Note: The SAQ involves evaluating and documenting internal compliance without the assistance of a QSA.

Let’s learn about both types of PCI DSS assessments in detail.

Two Types of PCI DSS Assessments

The type of PCI DSS assessment that your organization needs depends on which PCI DSS level it falls under. Moreover, the PCI DSS levels are based on your transaction volume and the potential risks your organization might face.

1. On-site Assessment

An on-site assessment is required if your organization falls under PCI DSS Level 1. This level applies to organizations that process over 6 million card transactions annually or are prone to high risk due to data breaches. These organizations might include global e-commerce companies, large retail chains, or payment processors, provided they are eligible.

While conducting this type of PCI DSS assessment, a Qualified Security Assessor (QSA) (who is an external auditor) is involved. They will perform a detailed review of your organization’s systems, processes, and policies (if your organization falls under the category mentioned above).

Note: The primary goal of this assessment is to comply with the 12 PCI DSS requirements.

Once this assessment is completed, the QSA will provide your organization with an Attestation of Compliance (AoC) and a Report on Compliance (RoC). This will serve as a certification that your organization meets the required standard.

Cost of On-site assessment: The cost of this assessment ranges from $20,000 to $100,000 or more. However, this cost depends on the complexity of your IT infrastructure and the scope of the review. However, the RoC is a mandatory document if your organization comes under Level 1 and serves as proof of compliance.

2. Internal Assessment

This type of PCI DSS assessment is designed for organizations that fall under PCI DSS Levels 2, 3, and 4. These levels primarily encompass organizations with fewer transactions (less than 6 million annually). 

For this assessment, you do not need to hire a QSA. An internal team within your organization can conduct this, guided by a self-assessment questionnaire (SAQ). 

Note: The PCI SAQ is a subset of PCI DSS requirements, helping you assess your organization's security posture.

Cost of Internal Assessment: It is lower compared to an on-site assessment, as your organization manages the process internally with its team. However, if your organization requires some external help, then the consulting fees can be $1,000 to $10,000 (depending upon the level of assistance needed).

Imagine that you have determined your organization needs to perform an internal assessment, guided by the volume of transactions and PCI SAQs. However, there are 8 different types of SAQs. Now, it's essential to understand which SAQ type will best suit your organization. Let’s find out in detail.

Types of PCI DSS Self-Assessment Questionnaire (SAQs)

| Type of SAQ | Type of Organization | Account Data Scope | Electronic Account Data Storage Allowed | |:------------: |:--------------------------------------------------------------------: |:--------------------------------------------------: |:----------------------------------------: | | SAQ A | E-commerce, service providers | Card-not-present transactions | No storage of cardholder data | | SAQ A -EP | E-commerce, service providers | Card-not-present transactions with a website | No storage of cardholder data | | SAQ B | Mail order/telephone order | Card-present transactions | No electronic storage of account data | | SAQ B -IP | Mail order/telephone order | Card-present transactions via IP-connected devices | No electronic storage of account data | | SAQ C | Retail, small organizations | Card-present transactions | Limited electronic storage of card data | | SAQ C -VT | Retail, small organizations | Virtual terminal transactions | Limited electronic storage of card data | | SAQ P2PE -HW | Any organization using a point-to-point encryption hardware solution | Card-present transactions | Only P2PE-encrypted storage of card data | | SAQ D | Large organizations, service providers | All types of transactions, including e-commerce | Storage of cardholder data allowed |

Here is the list of all the types of SAQ that will help you choose the one that is suitable for your organization.

1. SAQ A

Conducting a PCI DSS assessment for this type of SAQ is for organizations that handle payments but have minimal interaction with sensitive payment card data. This means your organization will qualify for this if it processes payments through third-party service providers.

Who qualifies for SAQ A?

  • All cardholder data is handled exclusively by trusted third-party vendors, such as payment gateways.
  • Your website does not collect or store payment details directly from customers.
  • Maintain limited responsibility for securing payment systems.

For example, an organization that uses a payment gateway to handle transactions qualifies. This makes SAQ A an ideal choice for your organization if it has outsourced payment processing.

In addition, to qualify for SAQ, your organization is required to confirm that:

  • Cardholder data is not stored on their systems.
  • Their third-party vendors meet PCI DSS compliance requirements.
  • Any redirection or frame used for payment is secure.

2. SAQ A -EP

For SAQA-EPP, you can conduct a PCI DSS compliance assessment if your organization is involved in online payment processing. It applies to organizations that will outsource their payment transactions but still have some technical responsibilities. 

SAQ A-EP is for merchants who rely on third-party payment processors but manage their websites. These websites facilitate the initial connection, redirecting individuals to the payment provider. This will ensure that your organization secures the environment to protect payment data during the redirection process.

Eligibility criteria for SAQ A-EP include:

  • Using third-party services for payment processing.
  • Maintaining a website that directly interacts with cardholder data redirection.
  • Ensuring the website is hosted securely to prevent tampering.

Key requirements of this PCI DSS assessment involve:

  • Implementing robust security measures for the website, including firewalls and encryption.
  • Regularly testing for vulnerabilities and ensuring secure configurations.
  • Ensuring third-party service providers meet PCI DSS standards.
  • Monitoring for and preventing unauthorized access to web systems.

3. SAQ B

SAQ B, a PCI DSS assessment, is for those organizations that process card payments using standalone payment terminals. These terminals must not connect to the internet or store cardholder data electronically. Thus, conducting a PCI DSS assessment will help ensure that basic security requirements are met without requiring many complex compliance measures.

The eligibility criteria for SAQ B are:

  • Using standalone terminals connected through phone lines or similar methods.
  • Avoiding any storage of cardholder data in digital systems.
  • Ensuring that no electronic payment systems connect to the internet.

Moreover, this PCI DSS assessment helps organizations to verify:

  • Physical security of payment terminals to prevent tampering.
  • Secure communication channels, such as phone lines, for transactions.
  • Regular inspection of payment devices for signs of compromise.
  • Policies and procedures to handle cardholder data securely.

4. SAQ B -IP

You can perform a PCI DSS assessment for SAQ B - IP (SAQ B - Internet Protocol) if your organization uses payment terminals connected to the internet. These terminals process transactions securely through a PCI DSS-compliant service provider. Thus, performing SAQ B-IP will help to ensure that you take preventive steps to secure your organization’s environment.

Now, let’s see the eligibility criteria for conducting a PCI DSS assessment for SAQ B-IP.

  • Using payment terminals that have IP connections for the card transactions.
  • Relying on PCI DSS-compliant service providers for processing.
  • Ensuring the terminals do not store sensitive cardholder data.

Also, this PCI DSS assessment focuses on: 

  • Protecting terminals against unauthorized access
  • Ensuring secure communication of payment data using encryption
  • Verifying that the service provider handling transactions is compliant
  • Maintaining physical and logical security for payment devices

5. SAQ C

For SAQ C, perform a PCI DSS assessment if your organization processes payments through connected systems while maintaining limited access to sensitive data. These systems handle transactions but do not store sensitive card data. 

For conducting a PCI DSS assessment for SAQ C, the eligibility criteria include:

  • Using internet-connected payment systems for processing cardholder data.
  • Not storing cardholder data electronically after transactions.
  • Securing their payment systems and networks to prevent breaches.

By performing this PCI DSS security assessment, you can ensure that your organization secures the network and payment environment to meet PCI DSS requirements.

Also, this PCI DSS self-assessment questionnaire focuses on:

  • Encrypting cardholder data during transmission to prevent unauthorized access.
  • Regularly testing payment systems and network security.
  • Using strong firewalls and access controls to protect the environment.
  • Ensuring third-party payment processors comply with PCI DSS standards.

Now, suppose your organization operates in multiple locations. Each location uses a payment system connected to the internet to process payments. These systems send cardholder data to a secure payment processor without storing it locally. 

Your team ensures the payment systems are up-to-date, encrypted, and isolated from other networks. They also conduct vulnerability scans and verify the compliance of the payment processor. These steps help your organization meet SAQ C requirements.

6. SAQ C -VT

You need to perform a PCI DSS assessment for SAQ C-VT (Self-Assessment Questionnaire C – Virtual Terminal) if your organization processes cardholder data using a virtual terminal. A virtual terminal is a web-based interface provided by a third-party payment processor. 

This type of SAQ ensures that your organization secures its systems when handling card payments. Here are the eligibility criteria for SAQ C - VT.

  • Using a virtual terminal provided by a PCI DSS-compliant service provider.
  • Processing payments through a computer or device solely used for this purpose.
  • Ensuring that no sensitive cardholder data is stored in digital form.

Moreover, SAQ C-VT focuses on:

  • Use secure connections, such as HTTPS, to access the virtual terminal.
  • Limiting access to devices used exclusively for processing payments.
  • Ensure the computer or device is protected with antivirus software and firewalls.
  • Restricting physical and network access to the device to prevent tampering or unauthorized use.

Imagine your organization has a subscription for a SaaS app and processes the subscription payment through a single, dedicated system. Your team uses this system to access a virtual terminal provided by a PCI DSS-compliant payment processor. 

This system has antivirus software installed and is restricted from accessing other networks or applications. Your team regularly updates the system and ensures secure access to the terminal. These steps align with SAQ C-VT requirements.

7. SAQ P2PE -HW

You can conduct a PCI DSS assessment for SAQ Point-to-Point Encryption Hardware (SAQ P2PE -HW) if your organization uses validated point-to-point encryption (P2PE) solutions. This will ensure that your organization meets PCI DSS requirements with simplified compliance steps.

Eligibility for conducting PCI DSS assessment for SAQ P2PE requires:

  • Using only P2PE-approved devices for payment processing.
  • Not storing cardholder data electronically within your organization.
  • Relying on the P2PE solution provider to manage encryption and key handling.

SAQ P2PE -HW focuses on:

  • Ensuring that all payment devices are part of a validated Point-to-Point Encryption (P2PE) solution.
  • Maintaining the physical security of the devices to prevent tampering.
  • Follow documented procedures provided by the P2PE vendor.
  • Conducting regular inspections to ensure the devices remain secure.

Overall, SAQ P2PE-HW simplifies PCI DSS compliance for your organization if it uses secure, validated payment devices. 

8. SAQ D

To meet SAQ D, you need to conduct a PCI DSS assessment if your organization processes, stores, or transmits cardholder data in complex environments. This will ensure that these organizations meet all the applicable requirements.

The eligibility criteria for performing a PCI DSS assessment for SAQ D are

  • Storing, processing, or transmitting cardholder data electronically.
  • Using complex IT systems, such as multi-point integrations or in-house payment solutions.
  • Handling scenarios not covered by simpler SAQ types, like P2PE or virtual terminals.

Key areas that SAQ D focuses on:

  • Securing cardholder data at rest and in transit through encryption and secure storage practices.
  • Implementing strong access controls and restricting access to sensitive data.
  • Regularly testing network security and running vulnerability scans.
  • Monitoring and logging access to cardholder data systems.
  • Ensuring third-party service providers meet PCI DSS requirements.

By following this PCI DSS assessment, your organization can protect sensitive data, reduce risks, and build customer trust.

Steps to Perform the PCI DSS Self-Assessment Questionnaire

Below are the steps to complete the PCI DSS assessment process.

Step 1: Determine your PCI DSS Level

The first step is to understand and identify your PCI DSS level. This will depend on the volume of card transactions your organization processes annually. Thus, knowing your level will guide you in determining which PCI DSS assessment you need to complete.

Step 2: Complete the self-assessment questionnaire

Choose the correct SAQ based on your PCI DSS level and complete it thoroughly. This questionnaire helps assess your security measures against PCI DSS requirements. 

Note: Ensure that you answer all questions correctly during the PCI DSS assessment.

Step 3: Gather your supporting documentation

Collect all relevant documentation to support your SAQ answers. This may include your company’s security policies, network diagrams, access control logs, and any evidence of security practices (like firewalls or encryption).

Step 4: Submit your SAQ and documentation

Once the SAQ is completed and all supporting documents are gathered, submit the entire package to your acquiring bank or payment card brand. Some banks or brands may have specific submission instructions, so it’s essential to confirm the process with them.

Step 5: Await confirmation of compliance

After submission, the acquiring bank or payment card brand will review your materials. If your SAQ and documentation meet the requirements, you will receive confirmation of PCI DSS compliance.

Step 6: Address non-compliance issue (if any)

If your SAQ is found to have gaps or non-compliance, you will be required to provide additional clarification or make necessary changes. Thus, work with your security team to resolve any issues efficiently.

Step 7: Maintain your ongoing compliance

You must continuously monitor and maintain your security measures to stay compliant. To achieve this, you need to regularly review your security protocols and perform periodic scans and assessments.

Simplify your PCI DSS Assessment Process

Regardless of whether your organization qualifies for SAQ A or SAQ D, compliance with PCI DSS is mandatory. It requires meeting strict security standards to protect cardholder data, including implementing security controls, encrypting account data, and controlling access to sensitive data. But how do you simplify this?

For instance, if you want to implement access control, you need to review your users’ access and remediate the unnecessary access. To streamline this process, you can leverage tools like Zluri. Zluri offers an access review solution that allows you to create access certifications for reviewing access.

The platform gives you clear visibility into who can access your systems and data. This ensures that only authorized individuals have access, helping your organization meet PCI DSS requirements.

But how can you prove your PCI compliance? Zluri simplifies this by providing an access review report. This report includes key details such as users, their roles in applications, review status, remediation actions, and more. These insights enable auditors to more effectively evaluate user access, demonstrating your commitment to compliance with PCI DSS.

Now, let’s take Intune as an example to see how you can automate access review in Zluri.

Also Read: If you want to meet the PCI DSS requirements, you can go through 12 PCI DSS Compliance Checklists.

Frequently Asked Questions (FAQs)

1. What is a PCI SAQ?

A PCI Self-Assessment Questionnaire (SAQ) is a subset of the PCI DSS compliance standard that requires an internal team to conduct the assessment. A merchant or service provider can only qualify for SAQ if it falls under PCI DSS Level 2, 3, or 4.

2. What is SAQ D for service providers?

SAQ D applies to service providers who handle cardholder data for merchants. This includes hosting, payment processing, and data storage. These providers must demonstrate that they follow PCI DSS by maintaining the security of stored data, protecting networks, and controlling access. 

3. How frequently do you need to complete the PCI SAQ?

Payment brands determine how frequently businesses must complete PCI SAQs. For Level 2-4 organizations, this happens once a year.

4. What is an electronic cardholder?

An electronic cardholder owns a digital version of a payment card, such as a credit or debit card, to facilitate electronic transactions. These cardholders keep their card details safe in digital wallets or payment systems.  This allows you to a quick and safe online purchases and payments.

5. What is a real life example of credit card fraud?

Credit card fraud happens in many ways includes:

  • Someone might take over your account
  • open a new account in your name
  • clone your card
  • use your card details without having the actual card 

Often attackers get your information through methods like phishing or skimming. 

About the author

Minu Joseph

Minu is a product marketer with dynamic digital marketing support and a background in journalism. She has a comprehensive understanding of B2B marketing strategy and content writing.

Table of Contents:

This is some text inside of a div block.
This is some text inside of a div block.
Webinar

Product Spotlight ft. Gen AI Discovery, Proactive Access Governance, and more

Watch Now!
Button Quote

Related Blogs

Read More
Access Management
· 8 min read

Top 12 User Access Review Software in 2025

Rohit Rao
August 4, 2025
Access Management
· 8 min read

How Next-Gen IGA Addresses The Shortcomings Of Legacy IGA

Ritish Reddy
August 3, 2025
Access Management
· 8 min read

Role Of Contextual Risk Insights In Identity Governance

Sethu Meenakshisundaram
August 2, 2025

Go from SaaS chaos to SaaS governance with Zluri

Tackle all the problems caused by decentralized, ad hoc SaaS adoption and usage on just one platform.

Get in Touch

691, S Milipitas Blvd, St 217 Milpitas 95035

Security

Recognition

Products

SaaS Management
Access Management
Access Reviews

Platform

Open APIs
Integrations
Desktop Agents
Browser Extensions

Industries

Gaming
Biotech

Company

Our Story
Careers
We're Hiring
Events
Pricing
Contact Us
Press kit
Partner with Zluri
Security & Compliance
Trust Center

Resources

Blog
Case Studies
White Papers
SaaS Whispers
Integrations Catalog
Self-Guided Demos
Community
Webinars
Resource Hub for CIOs
Sitemap

Compare

SaaS Management
Zluri vs Torii
Zluri vs Zylo
Zluri vs Productiv
Access Management
Zluri vs Lumos
Access Reviews
Zluri vs Okta
Zluri vs Sailpoint

Compliance Readiness

SOC 2
HIPAA
ISO 27001
PCI DSS
SOX ITGC
RBI Cyber Resilience
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms