One of the most common points of confusion in PCI DSS compliance is the assessment process itself. Do you need a Qualified Security Assessor to conduct a full audit and produce a Report on Compliance? Or can you complete a Self-Assessment Questionnaire? And if an SAQ, which of the multiple SAQ types applies to your payment environment?
The answer depends on your payment channels, your transaction volumes, and the requirements of your acquiring bank or payment brand. Getting the assessment path right matters — completing an SAQ when you should have had a ROC is a compliance shortcut that creates real risk, and engaging a QSA for a full ROC when an SAQ would have been appropriate is an unnecessary expense.
Who Requires What: The Role of Payment Brands and Acquirers
The PCI DSS assessment requirements are not set by the PCI SSC — they are set by the payment brands (Visa, Mastercard, American Express, Discover, JCB) and enforced through your acquiring bank. The PCI SSC provides the standard; the payment brands determine the validation requirements based on merchant or service provider level.
Merchants are typically tiered by annual transaction volume. Level 1 merchants — those processing more than 6 million transactions per year, or any merchant that has suffered a breach — are required to complete an annual ROC conducted by a QSA, along with quarterly network scans by an Approved Scanning Vendor. Level 2, 3, and 4 merchants typically validate through SAQs, with the specific SAQ type depending on their payment channel.
Service providers are similarly tiered: Level 1 service providers (typically those storing, processing, or transmitting more than 300,000 transactions annually) require annual ROCs. Level 2 service providers may use SAQs.
Your acquiring bank will tell you your merchant or service provider level and the validation requirements that apply. If you are uncertain, ask them directly — the requirements are specific to your relationship with the card brands.
Understanding the SAQ Types
The SAQ is not a single document. PCI DSS v4.0 includes nine SAQ types, each designed for a specific payment channel configuration:
SAQ A is the most limited in scope and applies to card-not-present merchants (e-commerce, mail, or telephone) that have fully outsourced all payment functions to a third-party PCI DSS-compliant service provider, with no electronic storage or processing of cardholder data on the merchant’s own systems. This is the SAQ used by merchants who redirect customers entirely to a third-party payment page.
SAQ A-EP applies to e-commerce merchants whose website does not directly receive cardholder data but where the merchant’s website could impact the security of the payment transaction — for example, where scripts on the merchant’s site control the payment page or redirect to a payment processor. Requirements 6.4.3 and 11.6.1, the new e-commerce controls in v4.0, apply here.
SAQ B covers merchants using imprint machines or standalone dial-up terminals only, with no electronic cardholder data storage. SAQ B-IP covers merchants with standalone, IP-connected payment terminals that are not connected to the merchant’s network or systems.
SAQ C applies to merchants with payment application systems connected to the internet. SAQ C-VT covers merchants using virtual payment terminals accessed via a browser.
SAQ D is the most comprehensive SAQ type — it covers all remaining merchants not covered by SAQ A through C, and all service providers eligible for SAQ validation. SAQ D covers the full PCI DSS requirement set and is significantly more demanding than the limited-scope SAQ types.
When a ROC Adds Value Beyond Compliance
For organisations not required to complete a ROC, there are circumstances where engaging a QSA for a full assessment adds genuine value beyond compliance validation. Organisations that have suffered a security incident involving payment card data will typically be required to complete a forensic investigation and a full ROC regardless of their merchant level. Organisations building new payment environments, or significantly changing their existing CDE architecture, may benefit from QSA involvement during the design phase — identifying compliance issues before they are built in rather than after.
The ROC is also the standard that enterprise clients and payment partners increasingly reference in vendor due diligence. For service providers in particular, a QSA-validated ROC carries significantly more weight than a merchant SAQ as evidence of payment security maturity.
At Bitsecura, we help organisations determine the right assessment path for their payment environment, prepare for QSA assessments, and complete SAQ processes with confidence. If you are unsure which validation path applies to you, or want support preparing for an assessment, talk to us here.
Bitsecura provides PCI DSS compliance support, gap assessment, and QSA readiness services. Learn more about our PCI DSS services.