Join our live webinar, “The Next Era of Audits: Flipping the Power Dynamics,” on Nov 3.
Go back to blogs

What is a PCI DSS assessment? Complete guide with checklist & Questionnaire Types

Last updated on
October 10, 2025
4
min. read

Every organization that stores, processes, or transmits payment card data must answer one fundamental question: Are your security controls effective at protecting cardholder information? The Payment Card Industry Data Security Standard (PCI DSS) exists to provide that assurance. PCI DSS is a globally recognized framework designed to ensure that sensitive payment data is handled securely.

A PCI DSS assessment is the formal examination of your security environment against 12 PCI requirements. These assessments help you uncover gaps, enforce best practices, and ascertain that you are managing cardholder data securely.

In this guide, you’ll learn what a PCI DSS assessment entails, the different types available, and how to determine which one fits your business model. You’ll also understand how to navigate the various SAQ categories and ROC process, and what documentation and evidence you'll need to demonstrate compliance.

What is a PCI DSS assessment?

A PCI DSS assessment serves two purposes: it validates that your controls meet the PCI DSS requirements, and it provides formal proof to card brands, acquiring banks, and customers that you take data security seriously.

For many merchants—depending on annual transaction volumes—you complete a Self Assessment Questionnaire (SAQ). This is a streamlined, self-administered form covering the requirements that apply to your environment. Smaller merchants (Levels 2–4) typically use SAQs, which range from the simple SAQ A (for merchants outsourcing all card functions to validated third parties) to the comprehensive SAQ D (for environments handling card data in-house).

If you process more than six million transactions annually, or if you’re a service provider handling over 300,000 transactions a year, you must undergo a Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA). The ROC combines on-site inspection, control testing, vulnerability scans, penetration tests, and interviews to deliver a deep dive into your security posture.

Understanding the distinction between SAQs and ROCs is essential. SAQs let smaller or lower-risk businesses demonstrate their controls cost-effectively, while ROCs give large-volume processors and service providers the independent verification that regulators and enterprise customers demand. Knowing which assessment applies to you sets the stage for efficient audit planning and resource allocation.

Types of PCI DSS assessments

1. SAQ A

SAQ A is designed for merchants who have completely outsourced their payment processing to validated third-party providers, meaning no cardholder data ever touches their systems. In practice, this means you document your service providers’ PCI DSS validation and maintain contracts that require ongoing compliance, then periodically verify, through provider attestations or logs, that no payment data flows through your environment. 

Because you’re not handling card data directly, the questionnaire focuses solely on secure outsourcing controls, redirect methods, and third-party management. However, it’s vital to watch out for hidden payment forms or plugins on your site that could unintentionally process data; failing to spot these can pull you back into scope and invalidate your SAQ A attestation.

2. SAQ A-EP

E-commerce merchants whose websites directly influence the checkout experience—by embedding JavaScript, framing redirects, or hosting scripts—use SAQ A-EP. This assessment builds on SAQ A’s outsourcing controls but adds requirements around secure web-application development, quarterly vulnerability scanning, and access controls for any front-end code under your control. 

In one cohesive process, you map your site’s architecture with your developers, run and document external scans every three months, and retain records of secure code reviews. This ensures that, even though a third party processes payments, your website modifications cannot introduce card-data vulnerabilities, avoiding the common mistake of assuming that outsourcing alone absolves you of responsibility.

3. SAQ B & B-IP

Merchants accepting payments through standalone, dial-up terminals (SAQ B) or IP-connected point-of-interaction devices (SAQ B-IP) focus on securing those devices and their networks. You begin by inventorying every terminal, enforcing vendor-provided firmware updates, and fully isolating payment devices from all other systems on your network. 

These steps satisfy the SAQ’s requirements for device hardening, network segmentation, and terminal management and protect against attacks that jump from corporate networks to payment hardware. Overlooking adjacent systems or failing to maintain up-to-date firmware can leave gaps that attackers exploit, so thorough documentation and regular reviews are essential.

4. SAQ C & C-VT

When merchants process payments on internet-connected computers (SAQ C) or via virtual terminals (SAQ C-VT), the focus shifts to endpoint security and network controls. You configure firewalls to restrict traffic, install and update anti-malware solutions, manage patches on a strict schedule, and secure all virtual-terminal sessions with up-to-date TLS encryption.

 In your response, you provide network diagrams, firewall policies, patch-management logs, and antivirus reports as integrated evidence. This holistic approach confirms that both physical endpoints and virtual interfaces maintain continuous protection—rather than piecing together separate screenshots and reports—while highlighting desktop-level risks like unauthorized software that could undermine your security.

5. SAQ D

SAQ D covers any merchant or service provider not eligible for the narrower SAQs, typically those that store, process, or transmit large volumes of card data. This comprehensive questionnaire spans all 12 PCI DSS requirements, from network security and access control to encryption and penetration testing. 

Completing SAQ D involves conducting an internal gap assessment, implementing each control end-to-end, and collecting all necessary evidence—such as policies, logs, configuration snapshots, scan reports, and test results—in one centralized repository. 

By treating SAQ D as a full compliance program rather than a simple form, you ensure that controls aren’t just documented but are actively tested and effective, preventing audit findings due to incomplete or outdated practices.

6. SAQ P2PE

SAQ P2PE applies to merchants—whether in-store or mail/telephone-order—who process every card transaction through a PCI-listed Point-to-Point Encryption (P2PE) solution and never store unencrypted card data on any electronic system. In one cohesive workflow, you document your P2PE provider’s validation status, describe how encrypted data flows from the terminal to the processor, and confirm that the only retained data are paper receipts or printouts. 

Because all sensitive data lives inside the P2PE solution, your scope shrinks dramatically: you focus only on solution deployment, device management, and periodic provider attestations, rather than the full set of PCI DSS controls. The key benefit is minimal compliance overhead—yet you must watch for any non-P2PE endpoints (like integrated point-of-sale systems) that could inadvertently capture card data and pull you back into full scope.

7. SAQ P2PE-HW

SAQ P2PE-HW is a streamlined version of P2PE self-assessment for merchants who use only hardware terminals from a validated, PCI SSC-listed P2PE solution and do not handle card data electronically anywhere else. This form is not available to e-commerce operations; it’s designed strictly for brick-and-mortar or mail/telephone-order merchants keying transactions directly into P2PE devices. 

Your task is to verify that each terminal is on the PCI list, describe your processes for secure key management and device handling, and confirm that all retained data remains on paper. By concentrating on hardware-only controls, this SAQ lets you prove compliance in the shortest possible time, provided you maintain rigorous procedures around terminal replacement, physical security, and proof of P2PE provider attestations.

Which PCI SAQ is right for your business?

Assessment Who Needs It What It Covers Key Actions & Pitfalls
SAQ A Fully outsourced merchants (hosted payment pages) Third-party compliance, contract controls, no local data storage Verify provider validations; watch for hidden plugins or forms
SAQ A-EP E-commerce sites influencing payment pages Website architecture, secure coding, quarterly scans, access controls Document embedded scripts; keep scan reports current
SAQ B/B-IP Merchants using standalone or IP-connected terminals Device hardening, firmware updates, and network segmentation Inventory devices; isolate terminals from all other networks
SAQ C/C-VT Merchants with internet-connected payment applications or virtual terminals Firewalls, anti-malware, patch management, TLS encryption Maintain detailed configuration and patch logs; secure TLS sessions
SAQ D Merchants/service providers with in-scope cardholder data environments Full 12 requirements, policies, internal gaps, evidence collection, control testing Integrate gap assessment into controls validation; centralize evidence
SAQ P2PE Merchants using PCI-listed P2PE solutions, no digital storage P2PE validation, encrypted data flow, paper receipt only Document P2PE flow; confirm no non-P2PE endpoints

PCI DSS assessment checklist: How to get started?

Use this checklist to track your progress through any PCI DSS assessment:

1. Define scope

  • Identify all systems, networks, and applications handling card data.
  • Document network diagrams and data flows.

2. Assemble policies & procedures

  • Maintain written security policies covering all 12 requirements.
  • Assign control ownership and review cycles.

3. Implement technical controls

  • Firewall configuration: Review rules quarterly and document exceptions.
  • Access controls: Enforce unique IDs, multi-factor authentication, and least privilege.
  • Encryption: Ensure card data is encrypted in transit (TLS) and at rest (FIPS-approved algorithms).
  • Logging & monitoring: Enable audit logs, retain for at least one year, and review daily.

4. Conduct vulnerability management

  • Run quarterly external scans with an ASV and remediate findings within agreed timelines.
  • Perform internal scans after significant changes.

5. Perform penetration testing

  • Schedule annual external and internal tests covering networks and applications.
  • Document test plans and remediation steps.

6. Gather evidence

  • Collect configuration files, scan reports, change logs, and policy sign-offs.
  • Store evidence in a centralized repository with version control.

7. Complete SAQ or ROC

  • For SAQs: Answer each question truthfully, attach evidence, and sign the attestation.
  • For ROCs: Coordinate with your QSA, provide access to systems, and review draft findings.

8. Submit to acquirer & card brands

  • Send your SAQ or ROC package and Attestation of Compliance by the deadlines.
  • Address any follow-up queries promptly.

Automating PCI DSS assessments with Scrut

Scrut’s smartGRC platform transforms your PCI DSS assessment into a seamless, continuous process by embedding key tasks into daily workflows:

1. Automated PCI DSS control mapping

Scrut provides over 50 pre-built PCI DSS control templates, each linked to the precise evidence artifacts and responsible stakeholders. Rather than drafting policies from scratch, you assign owners and activate controls immediately, ensuring comprehensive coverage of every requirement without extensive setup.

2. Pre-configured audit workspace

When you engage a QSA, Scrut’s audit workspace is already prepared. Assessors access the same portal as your internal teams, review control evidence, add comments, and confirm compliance status directly. This unified environment maintains a clear record of questions and resolutions for each control.

3. End-to-end evidence automation

To satisfy PCI DSS requirements for log retention, configuration management, and vulnerability evidence, Scrut integrates with more than 70 systems—including AWS, Azure, GCP, GitHub, Jira, and ServiceNow. Any change to a firewall rule or a closed security ticket is captured automatically and attached to the relevant control, eliminating manual uploads.

4. Support for all SAQs and ROC documentation

Whether you complete an SAQ A or SAQ D, or require a full ROC, Scrut filters the control set to match your environment. The platform guides you through the appropriate SAQ or ROC process and assembles all necessary documentation in one location, reducing uncertainty about what applies and what evidence is needed.

5. Real-time compliance tracking

PCI DSS demands ongoing monitoring of security controls. Scrut’s dashboard displays live statuses for each control, upcoming vulnerability scan windows, open findings, and key audit milestones. Configurable notifications alert you immediately to any drift—such as an expired certificate or missing patch—so you address issues before they affect your next assessment.

Tired of juggling spreadsheets for your PCI DSS assessment? Scrut automates audit workflows, so you can focus on security, not checklists. Schedule a demo with Scrut today.

Liked the post? Share on:
Grace Arundhati
Technical Content Writer at
Scrut Automation

Grace Arundhati is a passionate writer who specializes in creating engaging and informative pieces on information security, compliance, risk management, and a range of other topics. Outside of writing, Grace enjoys pet parenting, reading, and binge-watching period dramas.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Trust Management
Compliance Essentials
Risk Management
Cloud Security
Vulnerability Management
Increase customer trust with five easy steps
Scrut Milestones
Scrut rises to the top in G2's Fall 2024 Report with 10 Momentum Leader Awards
Risk Management
Trust Management
How does infosec compliance help SaaS companies?

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.
PCI DSS
Frameworks
Compliance Essentials