Security
      Back to home
      1. Help center
      2. Security

      PCI DSS Self-Assessment Questionnaire (SAQ) for Online Payments

      At Surfboard Payments, security isn't an afterthought—it's built into every part of our platform. By designing our online payment solutions to minimize PCI DSS scope, we help merchants simplify compliance without compromising security.

      Every merchant processing online payments must comply with PCI DSS, but the specific requirements depend on how payments are integrated and whether cardholder data is handled directly by the merchant.

      By integrating payments through Surfboard Payments' Developer Portal, you only need to complete SAQ A—the simplest and least burdensome self-assessment questionnaire.

      Understanding PCI DSS Compliance for Online Payments

      The Payment Card Industry Data Security Standard (PCI DSS) defines four merchant levels based on the number of transactions processed annually:

      • Level 1: Merchants processing over 6 million transactions per year → Requires an annual Report on Compliance (RoC) by a QSA.
      • Level 2: Merchants processing 1 million – 6 million transactions per year → SAQ and potential QSA validation.
      • Level 3: Merchants processing 20,000 – 1 million e-commerce transactions per year → SAQ required.
      • Level 4: Merchants processing fewer than 20,000 e-commerce transactions per year → SAQ required.

      All merchants, regardless of level, must comply with PCI DSS, but the number of requirements varies depending on how payments are handled.

      Why PCI DSS Scope Matters

      A merchant's PCI DSS scope refers to the number of security requirements they must follow. The more a merchant handles cardholder data, the more complex compliance becomes.

      Low Scope (SAQ A – Simplified Compliance)

      • No cardholder data is stored, processed, or transmitted by the merchant.
      • Surfboard Payments handles all security and compliance on the merchant's behalf.
      • Requires only 22 security requirements to be met.

      High Scope (SAQ A-EP, SAQ D – Full PCI Compliance)

      • The merchant's website impacts payment security (e.g., using Direct Post or storing data).
      • Full PCI DSS compliance applies, requiring between 191 to 328 requirements.
      • Merchants must implement extensive security controls, including network segmentation, intrusion detection, and vulnerability scanning.

      By integrating with Surfboard Payments, merchants remain in SAQ A scope, avoiding unnecessary complexity and cost.

      Which SAQ Applies to Your Business?

      SAQ A – Fully Outsourced E-commerce Payment Processing (Applies to Surfboard Payments merchants)

      Who qualifies?

      • Merchants using a hosted checkout, iframe, or SDK integration, where Surfboard Payments handles all cardholder data functions.
      • Your website never stores, processes, or transmits cardholder data.
      • The payment form is fully hosted by Surfboard Payments.

      Total Requirements: 22

      If you integrate using any method from our Developer Portal, SAQ A is the only required SAQ.

      What If You Are Not in SAQ A Scope?

      SAQ A-EP or SAQ D applies if:

      • Your website collects cardholder data before sending it to the payment provider.
      • You use Direct Post, JavaScript-based payments, or store payment details.
      • You have systems that store, process, or transmit cardholder data.

      ⚠️ This means higher compliance requirements, ranging from 191 to 328 security controls. Merchants in this category must:

      • Implement strong network security and firewalls.
      • Perform regular penetration testing and vulnerability scans.
      • Maintain detailed security policies and employee training.
      • Undergo annual audits if processing more than 6M transactions per year.

      How Surfboard Payments Keeps You PCI DSS Compliant

      We have built security into our online payment solutions so you don't have to worry about compliance complexity.

      • SAQ A Eligibility → All Surfboard Payments online integrations qualify for SAQ A, meaning merchants never have to meet hundreds of security requirements.
      • No Direct Handling of Cardholder Data → Our hosted checkout, iframe, and SDK solutions ensure that cardholder data never touches your systems, keeping you in the lowest PCI DSS scope.
      • Minimal Compliance Effort → With only 22 requirements, SAQ A is fast and easy to complete compared to other SAQs that require hundreds of security controls.
      • Built-in PCI DSS Protection → Our payment solutions include secure encryption, tokenization, and fraud prevention tools to ensure compliance from the start.

      What If You Process Over 6 Million Transactions Annually?

      If your business qualifies as a Level 1 Merchant, you must undergo an annual PCI DSS assessment by a Qualified Security Assessor (QSA).

      Surfboard Payments does not provide QSA certification services, but we offer advisory support to make the compliance process easier:

      • We provide guidance on meeting PCI DSS requirements.
      • We help streamline your preparation for QSA assessments.
      • We can recommend trusted external QSAs to complete the RoC process.

      Need Assistance?

      PCI DSS compliance doesn't have to be complex. By integrating payments through Surfboard Payments, your compliance burden is minimized.

      For step-by-step integration guidance, visit our Developer Portal.

      With built-in security and compliance, Surfboard Payments allows you to focus on growing your business while we handle the complexities of PCI DSS.

      Which SAQ Applies If You Accept Both In-Store and Online Payments?

      Since PCI DSS compliance is determined per payment channel, you will need to complete two separate SAQs—one for your in-store payments and one for your online payments