
By Jade Hancock June 2, 2025
For businesses accepting credit and debit card payments, protecting customer data is not just a best practice, it’s a requirement. The Payment Card Industry Data Security Standard (PCI DSS) outlines the rules that merchants must follow to secure cardholder data. Two key elements of compliance often confuse business owners: the PCI Self-Assessment Questionnaire (SAQ) and the PCI Security Scan. While both are necessary for compliance, they serve very different purposes.
What Is PCI Compliance?
Before diving into the specifics, it’s helpful to understand the broader goal. PCI DSS is a set of security standards developed by the major credit card networks to protect cardholder data. Any business that processes, stores, or transmits payment card information must comply with these standards.
Levels of Compliance
Merchants are divided into levels based on transaction volume. The higher the volume, the stricter the compliance requirements. However, even small businesses are not exempt. Most small to mid-sized businesses meet their obligations through a combination of a self-assessment and, in many cases, a quarterly scan.
Now let’s break down each of these two components.
Understanding the PCI Self-Assessment Questionnaire
The PCI Self-Assessment Questionnaire (SAQ) is a tool for businesses to evaluate their own compliance with PCI DSS. It is essentially a checklist that guides you through each security requirement and asks you to confirm whether or not you meet it.
What Does the SAQ Involve?
There are several versions of the SAQ, each tailored to a specific type of business. For example:
- SAQ A is for e-commerce or mail/telephone order merchants who use fully outsourced card processing.
- SAQ B is for merchants who use only standalone dial-out terminals.
- SAQ C applies to businesses with payment application systems connected to the internet.
Each questionnaire contains yes-or-no questions related to the PCI DSS requirements. If you answer “no” to any, you are not compliant and must take corrective actions.
Who Needs to Complete an SAQ?
Most merchants that are not required to undergo a formal PCI audit by a Qualified Security Assessor (QSA) will complete an SAQ annually. This includes the majority of small to medium-sized businesses.
Your acquiring bank or payment processor typically tells you which SAQ version to use. If you’re unsure, it’s important to ask for clarification before proceeding.
Why the SAQ Is Important
The SAQ is your documented proof of compliance. It demonstrates that you are aware of the security requirements and have taken steps to meet them. Banks and payment processors often require the completed SAQ annually.
Without a completed SAQ, you may be charged non-compliance fees or face increased scrutiny during audits.
Understanding PCI Security Scans
A PCI security scan is a technical test of your external-facing systems to check for vulnerabilities that could be exploited by hackers. It is conducted by an Approved Scanning Vendor (ASV) and is required quarterly for many merchants.
What Does a Security Scan Check?
The scan probes your systems to identify issues such as:
- Open ports
- Outdated software or firmware
- Misconfigured servers or firewalls
- Weak encryption protocols
Each identified issue is ranked based on severity. To pass the scan, all high and medium-risk vulnerabilities must be addressed and resolved.
Who Needs a Security Scan?
Any business that has internet-facing systems that store, process, or transmit cardholder data is required to complete quarterly scans. This includes e-commerce websites, point-of-sale systems connected to the internet, and even small networks with remote access features.
If your business does not touch cardholder data directly and uses only a third-party provider, you may be exempt. However, it is always best to confirm this with your payment processor.
Why Security Scans Are Critical
Security scans help detect weaknesses before they can be exploited. While the SAQ ensures that you have policies and processes in place, the scan verifies whether those controls are effective in the real world.
A passing scan provides assurance to banks, customers, and card networks that your systems are reasonably secure.
Comparing the Two: Key Differences
Now that we understand what each process entails, let’s look at how they differ.
Purpose
- The SAQ evaluates internal policies, processes, and controls.
- The security scan evaluates the external technical environment.
While the SAQ is essentially a self-review, the scan is an automated technical test performed by an external party.
Frequency
- The SAQ is typically completed once a year.
- The security scan must be conducted every quarter, or more frequently if changes are made to your network.
Scope
- The SAQ covers all aspects of PCI DSS including password policies, physical security, and employee training.
- The scan focuses specifically on internet-connected devices and systems.
Responsibility
- You or your internal IT team complete the SAQ.
- An Approved Scanning Vendor (ASV) conducts the scan and provides a report.
Verification
- The SAQ relies on your honesty and awareness.
- The scan provides tangible proof of system vulnerabilities or compliance.
Why Both Are Necessary
Some business owners assume that completing one of the two requirements is enough. In reality, both are required because they cover different aspects of security.
The SAQ ensures that your company has the right mindset, policies, and infrastructure in place to protect cardholder data. The scan ensures that your technical setup supports those goals and isn’t exposing any vulnerabilities.
Together, they offer a holistic view of your compliance posture and security readiness.
What Happens if You Fail Either One?
Failing a PCI scan or reporting non-compliance on your SAQ can have significant consequences.
Failing the SAQ
If you answer “no” to any required controls, you must:
- Take steps to correct the issues.
- Document your remediation efforts.
- Submit the corrected SAQ once compliance is restored.
In the meantime, your acquiring bank may apply monthly non-compliance fees.
Failing the Security Scan
If your scan detects medium or high-risk vulnerabilities, you must:
- Resolve the issues identified in the report.
- Schedule a rescanning to confirm that the vulnerabilities have been fixed.
- Only then can your scan be considered passed.
Continued scan failures could result in warnings or termination of services by your payment processor.
Best Practices to Manage Both Effectively
Meeting PCI requirements doesn’t have to be overwhelming. With the right strategy, both the SAQ and security scan can be completed with minimal disruption to your business.
Stay Organized
Keep track of when your SAQ is due and when each quarterly scan must be completed. Set reminders and plan ahead so you have time to respond to any issues.
Work With Reputable Vendors
Choose a scanning vendor that offers user-friendly interfaces, clear reports, and responsive support. A good ASV can help interpret scan results and guide you through remediation steps.
Be Honest in the SAQ
It may be tempting to check “yes” across the board, but this defeats the purpose. An accurate SAQ helps identify areas for improvement. Compliance is not just about passing—it’s about staying secure.
Implement Remediation Plans
For every weakness identified—either in the SAQ or the scan—create a plan to address it. Assign team members to each task and set deadlines.
Educate Your Staff
Make sure your team understands the importance of PCI compliance and knows how to handle cardholder data securely. This supports both the SAQ process and the real-world security of your systems.
Real-World Scenario: A Comparison in Action
Consider a small online business that accepts card payments via its website. The company uses a third-party payment processor but hosts the checkout page on its own server.
- For the SAQ, they complete SAQ A-EP, which covers merchants that rely on third parties for processing but still manage the checkout page.
- They must also undergo quarterly PCI scans of their web server and related infrastructure because their system touches cardholder data before it’s passed to the processor.
By completing both requirements, the business shows that its policies are aligned with PCI DSS and that its technology infrastructure does not expose customer data to unnecessary risk.
Conclusion: Different Tools for the Same Goal
The PCI Self-Assessment Questionnaire and PCI Security Scan may seem similar, but they serve distinct and complementary roles in protecting cardholder data. One evaluates your internal commitment to security practices, while the other verifies the external technical safety of your systems.
Businesses that take both seriously are better positioned to prevent data breaches, maintain customer trust, and avoid costly penalties. Rather than viewing these tasks as chores, treat them as opportunities to strengthen your business’s foundation.
In a landscape where cyber threats are constant and evolving, every layer of protection matters. Completing both your SAQ and security scan on time, accurately, and with intent is one of the best ways to safeguard your business and your customers.