PCI-DSS SAQ Types — Which Applies to UK Software?
This guide covers PCI-DSS v4.0 (effective March 2024, with some requirements active from March 2025). PCI-DSS v4.0 introduced significant changes to web skimming controls and customised approach requirements. Always consult a QSA (Qualified Security Assessor) for your specific compliance programme.
| SAQ Type | Who It Applies To | Card Data Handling | Annual Requirements |
|---|---|---|---|
| SAQ-A | Card-not-present merchants using entirely outsourced payment processing (Stripe Elements, Adyen Drop-in) | No cardholder data on your systems — fully outsourced | Self-assessment questionnaire, no penetration test required |
| SAQ-A EP | E-commerce merchants with payment page scripts from a third party but with some redirect control | Scripts touch payment page | Pen test + script integrity controls required (PCI v4.0) |
| SAQ-D (Merchant) | Merchants that store, process, or transmit cardholder data directly | Full cardholder data environment (CDE) | Full 300+ requirements, QSA assessment, annual pen test |
| SAQ-D (Service Provider) | Service providers storing, processing, or transmitting cardholder data for others | Full CDE | Full requirements + additional service provider controls |
Scope Reduction — The Most Important PCI-DSS Decision
| Architecture | PCI-DSS Scope | Compliance Effort |
|---|---|---|
| Stripe Elements / Adyen Drop-in | SAQ-A — your servers never see card data | Low — self-assessment, no pen test |
| iFrame redirect (PayPal-style) | SAQ-A-EP — some control over checkout page | Medium — pen test required, script controls |
| Direct card API (PAN on your server) | SAQ-D — full cardholder data environment | High — QSA assessment, quarterly scans, pen test |
| Card storage (vaulting) | SAQ-D + tokenisation controls | Very high — stringent requirements, expensive |
PCI-DSS v4.0 Key Changes (2024/2025)
Requirement 6.4.3: all scripts loading in the browser on payment pages must be authorised, have their integrity maintained (SRI hashes), and be inventoried. This affects SAQ-A-EP merchants significantly.
Requirement 11.6.1: detection mechanism for unauthorised script changes on payment pages (web skimming detection — Magecart-style attacks).
Customised approach: alternative to standard requirements — allowed where equivalent security is demonstrated. Requires QSA validation.
Targeted risk analysis: some requirements now require organisation-specific risk analysis to determine frequency of controls.
PCI-DSS v4.0 introduced requirements particularly relevant for e-commerce software:
FCA and UK GDPR — How PCI-DSS Interacts
Cardholder data is personal data under UK GDPR — both frameworks apply to cardholder data processing.
UK GDPR Article 32 (security) and PCI-DSS Requirement 12 (security policy) share common controls — document once, satisfy both.
Data breach notification: UK GDPR requires ICO notification within 72 hours. PCI-DSS Requirement 12.10.7 requires card scheme notification — typically faster than 72 hours. Both obligations apply.
FCA Consumer Duty: payment UX must be clear and not misleading — Stripe Elements satisfies Consumer Duty Consumer Understanding for payment screens.
PCI-DSS and UK GDPR overlap for payment data: