Maintaining customer trust is the bedrock of any successful business. For merchants—whether you’re a boutique e-commerce brand in Makati or a retail chain in Cebu—the phrase “PCI DSS” often sounds like a complex technical hurdle. However, it is essentially your business’s “clean bill of health” for handling credit card data.
If you handle fewer than 6 million transactions annually, you likely don’t need a full-scale on-site audit. Instead, you use a Self-Assessment Questionnaire (SAQ).
This guide breaks down the nine PCI DSS SAQ types for 2026, specifically tailored for Philippine merchants navigating the requirements of the Bangko Sentral ng Pilipinas (BSP) and local payment gateways like Maya and GCash.
What is a PCI DSS SAQ?
A Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to report the results of their PCI DSS self-assessment. Think of it as a specialized checklist. Depending on how your business accepts payments, the “checklist” can range from 20 questions to over 300.
In the Philippines, complying with PCI DSS 4.0 (the latest standard as of 2026) is no longer optional. Local regulators and acquiring banks now mandate these assessments to mitigate the rising threat of digital fraud.
Which PCI DSS SAQ Types Fit Your Business?
Choosing the wrong SAQ can lead to “false compliance,” leaving your business vulnerable to breaches and hefty fines from the BSP or card brands (Visa, Mastercard, etc.).
SAQ A: The “Hands-Off” E-commerce Merchant
Best for: Small to medium e-commerce sites using a full redirect. If your customer clicks “Pay Now” and is taken entirely to a third-party site (like a hosted Maya or PayPal page), and you never see or touch the card data, this is for you.
-
Requirements: ~24 questions.
-
Key Criterion: All processing is completely outsourced. No card data ever enters your server.
SAQ A-EP: The “Integrated” Online Shop
Best for: Merchants using “iFrames” or “Direct Post” on their own website. You host the checkout page, but the data is sent directly to the processor via a script or an embedded window. While the data doesn’t “stay” on your server, your website’s security can impact the transaction.
-
Requirements: ~190+ questions.
-
Why it’s harder: Because you control the “gate” to the payment processor, you must prove your website hasn’t been tampered with by hackers (e.g., Magecart attacks).
SAQ B: The “Old School” Retailer
Best for: Brick-and-mortar shops using standalone dial-out terminals. If you use a physical terminal that connects via a phone line (not the internet) and doesn’t store data, this is your path.
-
Requirements: Focuses on physical security and ensuring no paper receipts with full card numbers are left lying around.
SAQ B-IP: The “Modern” Retailer
Best for: Shops using standalone IP-connected terminals. Most modern “card swipe” machines in the Philippines today connect via Ethernet or Wi-Fi. If your terminal is connected to the internet but not connected to your cash register or internal network, you fall here.
-
Key Requirement: Requires quarterly network scans by an Approved Scanning Vendor (ASV).
SAQ C-VT: The “Virtual Terminal” User
Best for: Travel agencies or BPOs taking payments over the phone. If you manually type customer card details into a web-based “Virtual Terminal” provided by your bank using a dedicated computer, this applies.
-
Crucial Rule: The computer used for these payments must not be used for anything else (no personal emails or general browsing).
SAQ C: The “Point-of-Sale (POS)” Integrated Merchant
Best for: Businesses with payment applications connected to the internet. If your cash register is connected to your payment terminal and they both talk to the internet to process the sale, you are in SAQ C territory.
-
Requirements: Significantly more technical, focusing on how your local network (LAN) is secured.
SAQ P2PE: The “Secure Hardware” Gold Standard
Best for: Merchants using a validated Point-to-Point Encryption (P2PE) solution. If you use high-end hardware that encrypts card data the instant it’s swiped/dipped, making it unreadable until it reaches the bank, your compliance burden drops significantly.
-
Benefit: Only about 33 questions. It’s the “shortcut” to high-level security.
SAQ D: The “Everything Else” Category
Best for: Large retailers, Service Providers, or those who store card data. If you don’t fit the categories above—perhaps because you store cardholder data for recurring billing on your own servers—you must complete SAQ D.
-
The Catch: This is the full version of the standard with over 300 requirements. In the Philippines, any merchant that stores “Primary Account Numbers” (PAN) locally is strongly advised to move toward tokenization to avoid the complexity of SAQ D.
Critical Compliance Steps for Philippine Merchants
-
Determine Your Merchant Level: Most local businesses are Level 3 or 4. Check with your acquiring bank (e.g., BDO, BPI, or Maya) to confirm.
-
Define Your Scope: Map out exactly how card data enters your business. Does it touch your Wi-Fi? Your server? Your employees’ phones?
-
Use an ASV for Scans: If you use any internet-connected system (SAQ A-EP, B-IP, C, D), you must perform quarterly external vulnerability scans using a PCI-certified vendor.
-
Update to 4.0 Standards: As of 2026, old version 3.2.1 assessments are no longer valid. Ensure your documentation reflects the new 4.0 requirements, especially regarding multi-factor authentication (MFA) and phishing training.
Note for “2-Star” Companies: If your business is currently scaling or struggling with resources, focus on SAQ A or P2PE. These “outsource” the heaviest security burdens to experts, allowing you to stay compliant with minimal overhead.
Conclusion
PCI DSS compliance isn’t just a regulatory “check-the-box” exercise; it’s a competitive advantage. In a market like the Philippines, where digital payment adoption is skyrocketing, being able to show your Attestation of Compliance (AOC) builds immense trust with savvy consumers.
Start by identifying your data flow, pick the corresponding SAQ, and remember: the less data you touch, the easier your compliance journey will be.
