When businesses are asked to prove they’re handling cardholder data securely and in line with the PCI DSS (Payment Card Industry Data Security Standard), there are two main ways to do it: through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (RoC).
Both serve the same purpose They demonstrate PCI DSS compliance, but they’re very different in terms of effort, process, and who’s involved. Knowing which one applies to your business can save a lot of time, money, and headaches.
SAQ or RoC: What’s the Difference?
An SAQ is exactly what the name suggests: a questionnaire you complete yourself. It’s effectively a self-check where you confirm how your business measures up against the PCI DSS requirements. There’s no external review, so you’re responsible for being accurate and honest. Cutting corners might seem tempting, but if your acquiring bank discovers inconsistencies later, it can lead to financial penalties and reputational damage. The benefit is that it’s straightforward, doesn’t involve outside auditors, and mainly costs you time.
A RoC is a different story. This is a full audit carried out by a Qualified Security Assessor (QSA) who is a professional that has been certified by the PCI Security Standards Council. The QSA digs into every requirement, gathering evidence such as policies, screenshots, firewall configs, and interview notes. These assessments often take weeks, with the auditor onsite for part of that time. Because of the level of detail, a RoC is resource-intensive, both in terms of staff time and financial cost.
When Is a RoC Required?
For merchants, the short answer is: when your acquiring bank tells you to. If they allow you to keep using an SAQ, great, but once you’re processing card volumes that place you in the Level 1 merchant category, expect to complete a RoC. Even if you don’t hit that threshold, a bank may still insist on a RoC if it sees your business as high-risk or if you’ve been breached in the past.
Service providers face slightly different dynamics. Instead of banks, it’s usually clients who require proof of PCI DSS compliance. If you’re storing, processing, or transmitting significant amounts of card data, or if you could impact their security or compliance, your customers may ask for a RoC rather than accepting an SAQ.
So, Which SAQ Do I Need?
If you’re completing an SAQ, the next challenge is figuring out which version applies. The PCI Council has created several, each designed for different payment setups. For example:
- SAQ A – for merchants who fully outsource card processing to a PCI-compliant third party, with no electronic storage of cardholder data.
- SAQ A-EP – for e-commerce merchants whose websites influence how payment data is entered, even if a third party ultimately processes it.
- SAQ B – for merchants using standalone payment devices without electronic storage of card data.
- SAQ D – the most comprehensive version, applying if your business doesn’t neatly fit into the other categories.
The right SAQ depends on how you accept payments, what systems you use, and whether you store, process, or transmit cardholder data. Picking the wrong one isn’t just a paperwork issue, it can leave you exposed to compliance gaps.
Wrapping Up
The choice between an SAQ and a RoC isn’t really a choice, it depends on your merchant level, your role in the payment process, and sometimes simply what your bank or clients demand. What you can control is making sure you understand which option applies and being prepared for what it involves.
If you’re unsure which SAQ fits your situation, or you think you might be moving toward RoC territory, it’s worth getting expert advice before you commit time and resources. It’ll make the process smoother and help you stay on the right side of compliance.
ComplyB4 has decades of experience in the PCI DSS space and are available round the clock to guide and assist you to make the right choice.