A PCI Self-Assessment Questionnaire (SAQ) is the attestation form merchants complete to document compliance with PCI DSS for their environment. Which SAQ applies depends on how card data flows: fully outsourced capture qualifies for the shortest forms; storing encrypted PAN in your data center pulls you toward the longest.
SAQs are not checkboxes for auditors, they encode architectural decisions. Teams that shortcut integration guidance (“we’ll just POST PAN to our API”) often discover mid-year they selected the wrong SAQ and must remediate before an acquirer deadline.
Service providers have their own SAQ types and must publish Attestations of Compliance (AoC) to customers. When evaluating tokenization vendors, request their AoC and responsibility matrix: what they cover versus what remains on the merchant.
Veliro documents integration patterns aligned with SAQ-A (hosted fields, no PAN on merchant servers) and provides evidence links in the trust center. Choosing architecture before choosing SAQ minimizes compliance drag as transaction volume grows.
Acquirers may still ask for SAQ attestations even when you outsource capture, keep signed SAQs, network diagrams, and vendor AoCs in a single evidence folder to avoid fire drills before renewal season.