PCI SAQ Quiz: Find Your Correct SAQ in 2 Minutes

Pick the wrong one and you waste hours answering irrelevant questions. Or worse, you skip controls you actually need—and open yourself to breaches, fines, or processor penalties.

The fix? This quiz.

It asks how you take payments today, where card data flows, and what systems touch it. Two minutes later, you get your SAQ type, a plain-English rationale, and a checklist to act on.

How This PCI SAQ Quiz Works

The quiz walks through your payment environment systematically:

1. How customers enter card data. Hosted checkout? On-site payment page? Standalone terminal? POS on your network? Virtual terminal? The answer determines your baseline scope.
2. Where card data flows. You'll confirm what systems touch card data and whether anything stores it (even temporarily). Storage changes everything.
3. P2PE and manual entry checks. P2PE-validated terminals shrink scope dramatically. Manual key-entry in a browser—even "just sometimes"—widens it.
4. Final verification questions. A few yes/no questions nail down edge cases and confirm your setup.
5. Your result. Get your SAQ type, why it fits your business, and a concrete to-do list to get compliant without wasting time.

What You Get From Your Result

• Your exact SAQ type. No guessing. The quiz tells you which questionnaire to complete—A, A-EP, B, C, or D—based on how you actually accept payments.
• Plain-English rationale. You'll see why this SAQ fits your setup, so you can explain it to your processor, auditor, or team without sounding like you're reading from a compliance manual.
• Actionable checklist. Concrete next steps—segment your network, switch to hosted fields, deploy P2PE—that turn compliance into a project you can finish this quarter instead of dragging it out for months.
• Context for deeper learning. New to PCI? We link to our guide on PCI compliance for small business so you can understand the why behind each requirement.

Quick SAQ Definitions—What Each Type Actually Means

SAQ A — Card data never touches your systems

Fully hosted ecommerce or recurring billing. Your site redirects to a payment page or uses an iframe where the payment provider handles everything. Your systems never see, process, or store card data.

SAQ A-EP — Your site hosts payment elements

Your website hosts payment pages, JavaScript, or scripts that could affect the checkout flow. Higher scope than SAQ A because your infrastructure touches the payment process—even if it doesn't store card data.

SAQ B — Dial-out terminals only

Standalone terminals that dial out over a phone line, or old-school imprint machines. No internet connection to your network means minimal scope.

SAQ C — Standalone IP-connected terminals

Payment terminals connected to the internet but isolated from your business network. Common in retail with segmented POS setups. No storage of card data.

SAQ D — Everything else

Custom payment flows, any storage of card data, or broad network scope where multiple systems could access payment data.

This is the big one—329 questions covering your entire environment.

Common Mistakes That Put You in the Wrong SAQ

• Assuming you're SAQ A when you embed payment fields. iFrames and hosted redirects can qualify as SAQ A—but if your page loads payment fields directly (even through javascript), you're likely looking at A-EP instead. The quiz clarifies this fast.
• Letting staff key cards into a browser—even "just sometimes." One store manager typing card details into a virtual terminal on an uncontrolled laptop widens your PCI scope. Fix the workflow with proper terminals or a locked-down virtual terminal setup.
• Skipping P2PE. Point-to-point encryption devices mean card data gets encrypted at the terminal and stays encrypted until it hits your processor. P2PE-validated terminals dramatically reduce scope—ask your provider about them.
• Mixing systems on a flat network. POS terminals on the same network as your admin workstations, WiFi, and other devices? That's scope creep. Segment your network so payment systems are isolated. It's less work than you think and saves massive audit pain later.
• Ignoring mobile payments. If you take orders via phone and key cards into a virtual terminal, that counts. If your app processes payments, that counts. The quiz accounts for these scenarios.

Next Steps After You Get Your Result

If you're tight on resources, use the quiz checklist alongside our PCI compliance for small business guide.

You'll move step by step without hiring a consultant until you actually need one.

If you're re-platforming or upgrading systems, prioritize providers with hosted fields and P2PE support.

Our best payment gateway providers comparison covers which platforms make compliance easier—and which ones create headaches.

If the quiz points you to SAQ D, don't panic.

Yes, it's the longest questionnaire, but many businesses start there and work backward by reducing scope.

Deploy P2PE terminals, switch to hosted checkout for ecommerce, and segment networks. Within a few months, you could qualify for a simpler SAQ—and save ongoing audit time and money.

Why This Matters More Than Most Retailers Think

PCI isn't just about avoiding fines—though those add up fast. It's about protecting your business from breach costs that average $200 per compromised card according to industry data.

A breach at a mid-sized retailer taking 500 cards per month could cost $100,000 in forensics, notification, card reissuance, and brand damage.

The right SAQ means you focus on controls that actually reduce risk, instead of checkbox compliance on irrelevant requirements. It's the difference between wasting a week on the wrong questionnaire and finishing compliance in an afternoon with a clear checklist.

Take the quiz now—two minutes to know your SAQ, then act on it.