PCI DSS Self-Assessment Guide for UK Retailers: Which SAQ Do You Need?

SAQ Decision Guide for UK Retailers

Use the following decision tree to identify your SAQ:

• Do you only accept card payments online, through a fully hosted payment page where the customer never interacts with your server? → SAQ A (22 questions)
• Do you only accept cards in person, using standalone dial-out terminals (not connected to your network or computer)? → SAQ B (41 questions)
• Do you accept cards in person using standalone IP-connected terminals that don't store cardholder data? → SAQ B-IP (83 questions)
• Do you only process card payments via web-based virtual terminals (browser-based, hosted by a PCI DSS compliant provider)? → SAQ C-VT (67 questions)
• Do you have a payment application connected to the internet, and no electronic cardholder data storage? → SAQ C (83 questions)
• Do you use a PCI SSC-validated Point-to-Point Encryption solution? → SAQ P2PE (33 questions)
• None of the above apply, or you store electronic cardholder data → SAQ D (full assessment — 329 questions)

Reducing Your SAQ Level Through Technology Choices

If you are currently in SAQ C, D, or completing an SAQ that feels disproportionately complex for your business, consider whether a technology change could reduce your scope: moving to a hosted payment page eliminates server-side card processing and qualifies most e-commerce retailers for SAQ A; implementing a PCI-validated P2PE solution for in-store payments reduces physical retail scope to SAQ P2PE; and tokenising repeat card transactions eliminates stored cardholder data that would otherwise require SAQ D. These technology changes involve upfront investment but typically deliver a permanent reduction in annual compliance overhead and reduce your breach exposure. Kyanite Blue can advise on PCI DSS scope reduction strategies for your specific retail environment.