SAQ is the reporting tool used to document self-assessment results from an entity’s PCI DSS assessment. SAQ A is for Card Not Present (e-commerce or mail/telephone order) merchants where all cardholder data functions are outsourced. So, this can never apply to face-to-face merchants. SAQ-A comprises 12 questions and so is considered the simplest form of self-assessment. Anyone handling Card Not Present payments without outsourcing all card data functions must complete SAQ D - for merchants not included in descriptions A-C and anyone else eligible to complete an SAQ. Check which SAQ you’re eligible for.