Comparison

SAQ A vs SAQ D: which one do you need?

Q: What is the difference between SAQ A and SAQ D?

SAQ A is for merchants that fully outsource cardholder data handling, so card data never touches their systems — it has around 30 requirements. SAQ D is for merchants that store, process or transmit card data themselves and covers the full PCI DSS — around 300 requirements.

Q: Can I move from SAQ D to SAQ A?

Yes. If you stop holding card data and instead use an external PCI DSS Level 1 vault that tokenizes it, card data leaves your environment. Most merchants then qualify for SAQ A, dramatically reducing the requirements they must meet.

Q: Which SAQ is cheaper to maintain?

SAQ A is far cheaper. With about a tenth of the requirements of SAQ D and no cardholder data environment to build or audit, it cuts assessment, infrastructure, scanning and staff costs.

The questionnaire you fill in decides how much PCI DSS work you take on. The difference between SAQ A and SAQ D is roughly 30 requirements versus 300 — and it comes down to one thing: whether card data touches your systems.

What it costs How to qualify for SAQ A

~30

Requirements in SAQ A

~300

Requirements in SAQ D

Card data in scope (SAQ A)

Up to 95%

Scope reduction with tokens

Side by side

SAQ A vs SAQ D, line by line

The same business looks completely different depending on whether it holds card data.

Dimension	SAQ A SIMPLEST	SAQ D
Who it is for	Fully outsourced card handling	You store / process / transmit card data
Approx. requirements	~30	~300
Card data in your systems	None	Yes
Cardholder data environment	Not required	Build, segment & maintain
ASV scanning & pen testing	Minimal	Full scope
Relative cost & effort	Low	High
Breach exposure	Transferred to vault	You hold the risk

The path to SAQ A

How tokenization moves you from D to A

Three steps take card data out of your environment and qualify you for the simpler questionnaire.

Card collected by us

Card data is captured directly into our PCI DSS Level 1 vault — on your site, by phone or via API — never on your servers.

You get a token

Your systems store only a token. There is no card number to protect, scan or audit in your environment.

You qualify for SAQ A

With card data fully out of scope, the bulk of PCI DSS no longer applies to you. The questionnaire shrinks accordingly.

FAQ

SAQ A vs SAQ D, answered

01 What is the difference between SAQ A and SAQ D?

SAQ A is for merchants that fully outsource card data handling, so card data never touches their systems — around 30 requirements. SAQ D is for merchants that store, process or transmit card data and covers the full PCI DSS — around 300 requirements.

02 Can I move from SAQ D to SAQ A?

Yes. If you stop holding card data and use an external PCI DSS Level 1 vault that tokenizes it, card data leaves your environment. Most merchants then qualify for SAQ A.

03 Which SAQ is cheaper to maintain?

SAQ A, by a wide margin. With about a tenth of the requirements and no cardholder data environment to audit, it cuts assessment, infrastructure, scanning and staff costs.

Get to SAQ A and stay there

Move card data into our certified vault and shrink your PCI scope to the minimum.

Talk to us PCI DSS compliance