How to Complete Your PCI DSS SAQ

A Practical Guide for Clients

It is designed for:

Clients completing PCI DSS via self-assessment
Non-specialists who are not PCI experts
UK and EU businesses using modern payment providers

You do not need to be an auditor to complete an SAQ, but accuracy matters.

What an SAQ actually is

A Self-Assessment Questionnaire (SAQ) is how most organisations confirm PCI DSS compliance.

It:

Contains questions mapped to PCI DSS requirements
Applies only to your specific payment setup
Must be completed annually, at a minimum
Is supported by evidence (even if not submitted)

The SAQ is a formal declaration, not a checklist or survey.

Before you start

Before answering any SAQ questions, make sure:

Your PCI DSS scope is defined and documented
You know which SAQ you are completing (A, A-EP, D, etc.)
Relevant controls are implemented
Evidence is available to support your answers

If any of these are unclear, stop and resolve them first.

How to interpret SAQ questions

Read the intent, not just the wording

SAQ questions are written in formal language. When answering, ask:

Is this control operating in practice today, and can we demonstrate it?

If the answer is “sometimes” or “mostly”, that is usually not a “Yes”.

What “Yes” really means

You should only answer Yes if:

The control is fully implemented
It applies to your environment
It operates consistently
Evidence exists to support it

Example
If MFA is required:

MFA enabled for all admin users → Yes
MFA enabled for some users → No

What “No” means (and why it’s OK)

Answering No does not mean you’ve failed PCI DSS.

It means:

The control is not yet fully in place
Remediation may be required
The gap is acknowledged honestly

Many organisations improve compliance over time. Accuracy is more important than perfection.

Using “Not Applicable” correctly

You can only answer Not Applicable if:

The requirement genuinely does not apply to your scope
You can explain why if asked

Example
A requirement about physical card terminals may be Not Applicable if you operate a fully online SaaS platform.

Never use “Not Applicable” to avoid implementing a control.

Common SAQ mistakes to avoid

1. Assuming your payment provider covers everything

Even if you use Stripe or PayPal, you still have PCI DSS responsibilities.

2. Selecting the wrong SAQ

SAQ A vs SAQ A-EP is one of the most common errors.

If your website can affect payment security, SAQ A is usually not appropriate.

3. Answering based on intention, not reality

Planned controls are not implemented controls.

4. Reusing last year’s answers without review

PCI DSS v4.x expects ongoing accuracy, not copy-and-paste compliance.

Evidence: what assessors expect

Even if you are not submitting evidence with your SAQ, you should be able to produce it if requested.

Good evidence is:

Current
Relevant to the requirement
Easy to understand
Clearly linked to the control

Examples include:

Screenshots of settings
Configuration exports
Policy documents
Logs or reports

How we support SAQ completion

Within the platform, we help you:

See which controls support each SAQ question
Link evidence to answers
Flag answers that may need review
Maintain consistency across responses

This reduces risk and review effort.

Review before submission

Before submitting your SAQ:

Have a second person review it
Check that evidence exists for all “Yes” answers
Confirm scope and SAQ selection are still accurate

This simple review step prevents most issues.

After completing the SAQ

Once your SAQ is complete:

You’ll complete an Attestation of Compliance (AoC)
Submit required documents to your bank or processor
Maintain controls and evidence throughout the year

Key takeaway

An SAQ is not about passing — it’s about accurately representing your security posture.

Honest, evidence-based answers protect your organisation far more than optimistic ones.