The Right SAQ. Completed Correctly. First Time.
Selecting the wrong SAQ type — or completing it inaccurately — is the most common reason acquiring banks reject PCI DSS submissions. We get it right.
You might be experiencing...
SAQ assistance prevents the most common PCI DSS failure mode: selecting the wrong questionnaire type and submitting inaccurate answers to your acquiring bank.
SAQ Types Explained
The PCI Security Standards Council publishes six merchant SAQ types. Each type applies to a specific payment acceptance scenario:
SAQ A applies to card-not-present merchants who have fully outsourced all cardholder data functions to PCI-compliant third parties. Your website never receives, transmits, or stores cardholder data. The checkout page is hosted entirely by the payment gateway. This is the most common SAQ type for UAE e-commerce merchants using hosted checkout (Telr, PayTabs hosted pages, Checkout.com redirect).
SAQ A-EP applies to e-commerce merchants who outsource payment processing but whose website could affect the security of the payment transaction. This includes merchants using JavaScript-based payment widgets where the checkout form appears on the merchant domain — common with Stripe Elements, Checkout.com Frames, or Adyen Drop-in.
SAQ C applies to merchants with payment application systems connected to the internet — POS software, payment terminals with IP connectivity, or in-store systems with internet access. Common in UAE retail and F&B.
SAQ D (Merchant) is the most comprehensive SAQ, covering all 12 PCI DSS requirements. If you store cardholder data in any form, or if your environment doesn’t qualify for a simpler SAQ type, SAQ D applies. This is essentially a full PCI DSS self-assessment.
The UAE Acquirer Context
UAE acquiring banks — Emirates NBD Merchant Services, Mashreq, ADCB, Network International, and others — each have their own SAQ submission portals and deadline enforcement practices. We maintain current knowledge of each acquirer’s specific requirements, accepted SAQ versions, and submission formats to ensure your package is accepted without back-and-forth.
Engagement Phases
SAQ Type Determination
Review all payment channels, integrations, and data flows to determine the correct SAQ type. Confirm with acquirer requirements if needed.
Guided Completion
Work through each SAQ question with your team, providing technical interpretation, evidence requirements, and guidance on compensating controls where applicable.
Review & Submission Package
Final review of completed SAQ for accuracy and consistency. Prepare submission package including SAQ, Attestation of Compliance (AOC), and ASV scan reports.
Deliverables
Before & After
| Metric | Before | After |
|---|---|---|
| SAQ Accuracy | SAQ completed internally — high risk of inaccuracy and misclassification | Expert-reviewed SAQ with evidence for every 'yes' answer |
| Acquirer Acceptance | Risk of rejection — wrong SAQ type or missing supporting documentation | Complete, accurate submission package accepted first time |
| Annual Effort | Weeks of internal scramble each renewal cycle | Structured annual process with pre-built evidence inventory |
Tools We Use
Frequently Asked Questions
What are the different SAQ types?
PCI DSS has six SAQ types for merchants: SAQ A (card-not-present merchants who outsource all card processing to PCI-compliant third parties), SAQ A-EP (e-commerce merchants who outsource payment processing but whose website could affect security), SAQ B (merchants using only imprint machines or standalone dial-out terminals), SAQ B-IP (merchants using standalone IP-connected payment terminals), SAQ C (merchants with payment application systems connected to the internet), and SAQ D (all other merchants, including those who store cardholder data). Service providers have their own SAQ D variant. Selecting the wrong type is a compliance failure.
Can we complete the SAQ ourselves without help?
Technically yes — SAQs are self-assessment tools. However, the most common compliance failure is merchants selecting an SAQ type that doesn't match their actual payment environment, or answering 'yes' to controls that don't actually meet PCI DSS requirements. An experienced PCI DSS specialist significantly reduces this risk and ensures your submission withstands acquirer scrutiny.
What is an ASV scan and do we need one?
An Approved Scanning Vendor (ASV) scan is a quarterly external vulnerability scan of all internet-facing IP addresses in scope for PCI DSS. Most SAQ types (B-IP, C, D) require quarterly ASV scans as a mandatory component of compliance. SAQ A and some SAQ A-EP scenarios may not require ASV scanning if there are no internet-facing CDE components. We determine your ASV scan requirement as part of SAQ type determination.
How often does the SAQ need to be completed?
Annual SAQ submission is the minimum requirement. Your acquiring bank sets the submission deadline — typically within 12 months of your previous submission. Some acquirers require more frequent submissions if you've had compliance issues. We recommend completing the SAQ 6-8 weeks before the deadline to allow time for any remediation identified during the process.
Start Your PCI DSS Journey
Book a free 30-minute compliance discovery call with our PCI DSS specialists in Dubai. We assess your current posture and identify the fastest path to compliance — actionable findings in days.
Talk to an Expert