- PCI DSS v4.0 is the current version of the Payment Card Industry Data Security Standard, applicable to any organization that stores, processes, or transmits cardholder data.
- Eight SAQ-specific documentation products aligned to the PCI SSC's Self-Assessment Questionnaire types. Each product is scoped precisely to its SAQ.
- SAQs A and A-EP are for e-commerce merchants. SAQs B and B-IP are for merchants using imprint machines or stand-alone dial-out terminals. SAQs C and C-VT are for POS or virtual terminal environments. SAQ D covers full PCI DSS scope for merchants and service providers.
- SAQ D (Merchant and Service Provider) products include the most comprehensive documentation, reflecting the full PCI DSS scope. These are the most commonly purchased products.
- Every SAQ product is delivered as editable Microsoft Word and Excel documents with single-entity licensing.
What Self-Assessment Questionnaire (SAQ) Type Are You?
SAQs are requirements for smaller merchants and service providers that are not required to submit a Report on Compliance (ROC). It is designed as a self-validation tool to assess security for cardholder data that uses a series of yes-or-no questions for each applicable PCI DSS requirement.
There are different questionnaires available to meet different merchant environments. Merchants are required to identify the SAQ that best describes how it accept payment cards. Some organizations may even need to fill out different SAQs, based on different methods of accepting payment (e.g., SAQ A for its website and SAQ C for its "brick & mortar" store locations). If you are not sure which questionnaire applies to you, contact your merchant services provider for assistance or review the official PCI Security Standards Council's guidance on "assessing the security of your cardholder data" to help determine the appropriate SAQ type for your organization - SAQ Instructions and Guidelines.
ComplianceForge sells its PCI DSS Policies & Standards based on the SAQ type (shown below):
You can click on the matrix below for a downloadable PDF that shows the PCI DSS v4 controls as they apply to the SAQ levels:

Why SAQ-Specific Documentation Matters
Most PCI DSS documentation products on the market provide a single monolithic document covering the full DSS, which customers must trim down to match their actual SAQ scope. This approach has several problems: irrelevant controls remain in the documentation (which auditors may still test), scope becomes ambiguous (making audit response harder), and maintenance overhead increases (every framework update requires re-trimming).
ComplianceForge's SAQ-specific approach eliminates these problems. Each SAQ product is precisely scoped to its SAQ, so documentation matches exactly what the assessor will review. For many organizations, this reduces audit effort significantly while improving defensibility.
Aligned With PCI DSS v4.0
All products in this category are aligned with PCI DSS v4.0, the current version of the standard. PCI DSS v4.0 replaced v3.2.1 and introduced significant changes including the customized approach, expanded service provider scope, updated authentication requirements, and more granular vulnerability management expectations.
Future quarterly updates (available via optional subscription) will reflect PCI DSS v4.0 errata and any future version transitions as the PCI SSC publishes them.
Available PCI DSS SAQ Products
Eight SAQ-specific products. Select the one matching your assessment scope. If unsure which SAQ applies, consult your acquirer or QSA before purchase.








Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.
