PCI DSS SAQ A to SAQ D for UAE E-commerce and Retail Merchants

Most UAE online merchants qualify for SAQ A — but only if their checkout architecture is set up correctly. We determine your SAQ type and get your submission accepted first time.

Industry Challenges

What We See in This Space

Your acquiring bank (Emirates NBD, Mashreq, Network International) requires annual SAQ submission and you've missed the last deadline.

You use a payment gateway but aren't sure whether you qualify for SAQ A or need the more complex SAQ A-EP based on how checkout is implemented.

Magecart-style JavaScript skimming attacks on checkout pages mean even SAQ A-EP merchants face real card theft risk.

You operate both an e-commerce store and physical retail locations — different SAQ types may apply to each channel.

A customer data breach or card brand investigation has been triggered and you need to demonstrate compliance immediately.

UAE’s e-commerce sector has grown into one of the GCC’s largest — and every online merchant accepting Visa or Mastercard is subject to PCI DSS compliance requirements enforced through their acquiring bank relationship.

The UAE E-commerce SAQ Landscape

The most common question from UAE e-commerce merchants is: “Which SAQ do we need?” The answer depends entirely on how your checkout is architected:

SAQ A — If your customers are redirected to a fully hosted payment page operated by a PCI-compliant gateway (Telr hosted, PayTabs redirect, Checkout.com redirect, Stripe Checkout redirect), and your website never receives card data, you likely qualify for SAQ A. This is the simplest PCI DSS certification — 22 questions, minimal technical controls, annual completion in a single day with specialist help.

SAQ A-EP — If your checkout page is on your domain and uses a JavaScript widget from the gateway (Stripe Elements, Checkout.com Frames, Adyen Drop-in, Telr.js), your website could affect payment security. SAQ A-EP applies — 191 questions, more technical controls including vulnerability scanning and web application firewall requirements.

SAQ C or D — If you operate in-store POS systems connected to the internet, or store any card data in your own systems, more complex SAQ types apply.

The Magecart Risk for UAE Retailers

Even merchants on SAQ A-EP face real payment security risk. Magecart attacks — JavaScript injection on checkout pages to skim card numbers — have compromised hundreds of e-commerce merchants globally. PCI DSS v4.0 specifically added new requirements targeting this attack vector: Requirement 6.4.3 mandates inventory and integrity checking of all payment page scripts, and Requirement 11.6.1 requires tamper detection for payment pages.

We assess your checkout implementation against these new v4.0 requirements and implement the script inventory and monitoring controls they require.

UAE Acquiring Bank Requirements

Different UAE acquiring banks have different compliance enforcement practices. Emirates NBD Merchant Services, Mashreq, ADCB, and Network International each manage their merchant PCI DSS compliance portfolios differently — submission portals, deadline enforcement, and escalation timelines all vary. We have current knowledge of each acquirer’s requirements and ensure your submission package meets their specific format.

Compliance

Frameworks We Cover

PCI DSS v4.0Visa Merchant Compliance ProgramMastercard Site Data Protection (SDP) ProgramUAE Consumer Protection Regulations

Relevant Services

How We Help

SAQ Assistance

PCI DSS Gap Analysis

Payment Tokenization Advisory

Remediation Planning

Start Your PCI DSS Journey

Book a free 30-minute compliance discovery call with our PCI DSS specialists in Dubai. We assess your current posture and identify the fastest path to compliance — actionable findings in days.

Talk to an Expert