SAQ Types Explained: Which PCI DSS SAQ Does Your UAE Business Need?

Selecting the wrong PCI DSS Self-Assessment Questionnaire (SAQ) is the most common compliance error for UAE merchants - and the most consequential. Submit an SAQ A when your checkout architecture requires SAQ A-EP, and you’ve filed an inaccurate compliance attestation. Your acquiring bank may reject it, or worse, accept it - leaving you exposed if a card breach investigation later reveals the misclassification.

This guide explains every SAQ type, the payment scenarios each covers, and how to determine which one your UAE business needs.

What is an SAQ?

A Self-Assessment Questionnaire is a set of yes/no compliance questions that merchants complete annually to attest to their PCI DSS compliance status. The PCI Security Standards Council (PCI SSC) publishes multiple SAQ types - each tailored to a specific payment acceptance scenario. You submit your completed SAQ and Attestation of Compliance (AOC) to your acquiring bank as proof of annual compliance.

The SAQ replaced the need for most merchants to undergo a formal QSA audit - Level 1 merchants (over 6 million annual transactions) still require a formal ROC, but Level 2-4 merchants self-assess via SAQ.

The Six Merchant SAQ Types

SAQ A - Card-Not-Present, Fully Outsourced

Who it applies to: E-commerce merchants who have outsourced all cardholder data functions to PCI-compliant third parties. Your website never receives, stores, processes, or transmits cardholder data in any form. Customers are redirected to a fully hosted payment page.

Typical UAE example: An online store using Telr hosted payment page, PayTabs redirect checkout, or Stripe Checkout (redirect flow) - where clicking “Pay” takes the customer to the payment provider’s domain.

Questions: ~22 (the shortest and simplest SAQ)

Key requirements: Ensure your gateway is on the Visa/Mastercard compliant service provider list. Maintain a security policy. That’s most of it.

SAQ A-EP - E-commerce, JavaScript Widget

Who it applies to: E-commerce merchants who outsource payment processing but whose website includes payment page scripts that could affect the security of the transaction. The card entry form appears to be on your website, even if the actual card data goes directly to the payment provider.

Typical UAE example: A merchant using Stripe Elements, Checkout.com Frames, Adyen Drop-in, or similar JavaScript widgets - where the card number field renders on the merchant’s own domain via an embedded script.

Questions: ~191

Key requirements: Web application firewall, vulnerability scanning, script integrity monitoring (new in PCI DSS v4.0), incident response procedures, and more rigorous access controls than SAQ A.

Important v4.0 change: PCI DSS v4.0 added Requirements 6.4.3 and 11.6.1 specifically targeting Magecart-style attacks on payment pages. All scripts on your payment page must be inventoried and their integrity monitored. SAQ A-EP merchants must implement these controls by March 2025.

SAQ B - Imprint Machines or Standalone Dial-Out Terminals

Who it applies to: Merchants using only paper-based imprint machines (very rare now) or standalone, dial-out payment terminals that are not connected to any other system or the internet. The terminal dials out directly to the acquirer’s network.

Typical UAE example: Very small merchants using legacy standalone dial-out terminals with no internet connectivity - increasingly uncommon as UAE acquirers push merchants to IP-connected terminals.

Questions: ~41

SAQ B-IP - Standalone IP-Connected Terminals

Who it applies to: Merchants using standalone, IP-connected payment terminals where the terminal connects to the payment processor over the internet, but the terminal is not connected to any other systems in the merchant environment.

Typical UAE example: A small retail merchant using a standalone Verifone or Ingenico terminal connected via the store’s broadband connection, with no integration to a POS system.

Questions: ~83

SAQ C - Payment Application Systems

Who it applies to: Merchants with payment application systems connected to the internet. If you run payment software on a computer, use a POS system with payment application software, or process payments through an application that connects to the internet, SAQ C likely applies.

Typical UAE example: A restaurant using a POS system like Lightspeed or Toast with card payment integration, or a retailer using a Windows-based POS with payment application software connected to the store network and internet.

Questions: ~159

SAQ D (Merchant) - All Other Merchants

Who it applies to: All merchants who don’t qualify for a simpler SAQ type. If you store cardholder data in any form - in a database, a spreadsheet, a paper record - SAQ D is mandatory. Also applies to merchants with complex environments that don’t fit the scenarios above.

Questions: ~329 (essentially a full PCI DSS assessment)

Important: SAQ D should be treated like a full PCI DSS program. Most merchants who complete SAQ D honestly without specialist help discover significant gaps during the process.

How to Determine Your SAQ Type

Work through these questions in order:

1. Do you store cardholder data (PAN, CVV, or track data) anywhere in your own systems? → If yes: SAQ D

2. Do you only use standalone dial-out terminals not connected to other systems? → If yes: SAQ B

3. Do you only use standalone IP-connected terminals not connected to other systems? → If yes: SAQ B-IP

4. Do you have a payment application connected to the internet (POS system, web-based payment app)? → If yes: SAQ C

5. Is your checkout page hosted entirely by your payment provider (redirect flow)? → If yes: SAQ A

6. Does your website have embedded payment scripts from your provider? → If yes: SAQ A-EP

If your payment environment spans multiple channels (e-commerce + in-store, for example), you may need to assess each channel separately.

When to Get Expert Help

If you’re unsure which SAQ type applies - which is the case for most UAE merchants with anything beyond a simple redirect checkout - a specialist SAQ determination takes one day and eliminates the compliance risk of misclassification. Contact pcidss.ae for a free SAQ type determination consultation.