PCI DSS SAQ vs ROC: Which Validation Path Do You Need?
A merchant once handed us a self-signed SAQ A and said his acquirer was happy. Twenty minutes into the walkthrough we found his checkout page posting card data to his own server before redirecting to the gateway. That single line of JavaScript meant he was never eligible for SAQ A in the first place. He had been attesting to controls he did not have, for three years, with a signature that made him personally liable. Nobody had ever asked him one hard question.
That is the real problem with the SAQ versus ROC decision. It is not a form-length question. It is a scope and liability question that most people get wrong at the very first step, and the cost of getting it wrong does not show up until a card gets breached and a forensic firm reads your attestation back to you in a claims meeting. This guide is about choosing the right validation path honestly, with the Indian acquiring and regulatory context that actually applies to you.
What SAQ and ROC actually are
PCI DSS (the Payment Card Industry Data Security Standard) gives you two ways to prove you meet its requirements. Both cover the same 12 requirement families in the current v4.0.1 standard. What differs is who assesses you and how much of your environment gets examined.
A SAQ, or Self-Assessment Questionnaire, is a shortened yes or no checklist you complete about yourself. You tick the boxes, sign an Attestation of Compliance (AOC), and submit it to your acquiring bank or the brand. No independent auditor is mandatory. There are nine SAQ types, each mapping to a specific way you handle cardholder data, and each contains only the subset of requirements relevant to that scenario. SAQ A has around 30-something questions. SAQ D has over 300, essentially the full standard.
A ROC, or Report on Compliance, is a full independent assessment performed by a QSA, a Qualified Security Assessor certified by the PCI Security Standards Council. The QSA does not accept your yes or no answers. They sample systems, pull evidence, interview staff, watch you perform tasks, and write a detailed report against every applicable requirement and testing procedure. The output is a ROC document plus a QSA-signed AOC. Some large organisations run this internally through an ISA, an Internal Security Assessor, but the rigour is the same.
Put plainly: a SAQ is you telling the brand you comply. A ROC is a certified auditor telling the brand you comply, having checked. The word that decides between them is transaction volume, but the trap is scope.
The number that forces the decision: merchant levels
Visa and Mastercard classify every merchant into one of four levels based on annual transaction count. Your level dictates whether a ROC is mandatory or whether a SAQ is permitted. The thresholds below are the widely applied brand criteria; your acquirer can always impose a stricter level, and being breached generally pushes you up to Level 1 regardless of volume.
| Level | Annual card transactions (per brand) | Typical validation | Who signs |
|---|---|---|---|
| Level 1 | Over 6 million, or any breached merchant | ROC mandatory | QSA or ISA |
| Level 2 | 1 million to 6 million | SAQ (Mastercard may require QSA-assisted) | Merchant, optionally QSA |
| Level 3 | 20,000 to 1 million e-commerce | SAQ | Merchant |
| Level 4 | Under 20,000 e-commerce, or up to 1 million total | SAQ | Merchant |
Service providers follow a separate scale. If you store, process, or transmit card data on behalf of others (a payment gateway, a PA-DSS-era software vendor, a hosting provider handling cardholder data), Level 1 kicks in at 300,000 transactions a year, and many acquirers and NPCI-linked schemes expect a ROC well below that. Below Level 1, service providers may use SAQ D for Service Providers. In practice, if you are a payment aggregator regulated by the RBI, expect to be treated as Level 1 and to produce a QSA ROC every year.
Where the RBI quietly overrides the brand rules
In India the merchant-level maths is not the whole story. The RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways require any entity handling card data to be PCI DSS compliant, and the RBI Master Direction on Digital Payment Security Controls expects card-handling systems to be validated by an independent assessor. If you hold a Payment Aggregator authorisation, your compliance is not a private matter between you and Visa. It is a licence condition the RBI can act on.
We have seen fintechs that qualified for a SAQ on transaction volume still be asked for a QSA ROC by their sponsor bank as a condition of the nodal account. The bank carries the residual risk, so the bank sets the bar. When you plan your validation, ask your acquirer and, if applicable, your sponsor bank what they require in writing, before you assume the SAQ path is open to you.
The nine SAQs, and the one question that picks yours
If you are on the SAQ path, choosing the wrong SAQ is the single most common failure we see. The SAQ type is not a preference. It is determined entirely by how card data flows through your systems. Get the flow wrong and your attestation is void.
| SAQ | Who it is for | Roughly how many controls |
|---|---|---|
| A | E-commerce, all card handling fully outsourced to a PCI-compliant third party via full redirect or iframe | ~30 |
| A-EP | E-commerce where your site does not receive card data but can affect the payment page (direct-post, JS scripts) | ~150 |
| B | Imprint machines or standalone dial-out terminals, no electronic storage | ~40 |
| B-IP | Standalone IP-connected PIN entry terminals, no storage | ~80 |
| C-VT | Manual virtual terminal on an isolated workstation, one at a time | ~80 |
| C | Payment application connected to internet, no card storage | ~160 |
| P2PE | Only a validated PCI P2PE solution, no other card access | ~30 |
| SPoC / SoftPOS | Approved software-based PIN entry on COTS devices | varies |
| D (Merchant) | Everyone who stores card data or does not fit any category above | ~330 |
The decisive question for e-commerce is simple to state and easy to get wrong: does any card data ever touch a system you control, even for a millisecond? If your checkout uses a full redirect or a properly isolated iframe served entirely by your gateway, you may be SAQ A. If your page uses a direct-post, a JavaScript SDK that captures the card fields, or any script you host on the payment page, you are SAQ A-EP at minimum, which pulls in external vulnerability scanning by an ASV (Approved Scanning Vendor) and a great deal more.
The merchant in our opening was SAQ A-EP wearing an SAQ A badge. The difference between those two forms is roughly 120 requirements and quarterly ASV scans he had never run.
A five-minute scoping test before you pick a SAQ
- Open your live checkout and view the page source. Is there any script, form field, or SDK that touches card fields and is served from your domain? If yes, you are not SAQ A.
- Watch the network traffic during a test payment. Does the card number ever POST to a hostname you own before reaching the gateway? If yes, A-EP or worse.
- Do you store the full PAN (Primary Account Number) anywhere, including logs, backups, CRM notes, or call recordings? If yes, you are SAQ D, full stop.
- Do call-centre agents key cards into your systems? Then your telephony, recording, and desktop are all in scope.
- Does any staff member ever see or handle a card manually? Even one exception changes your SAQ.
What actually happens in a ROC that never happens in a SAQ
People assume a ROC is a longer SAQ. It is not. It is a different activity. Here is a compressed version of what a real QSA engagement looks like, from our own audit rooms.
Day one is scoping, and it is adversarial in the useful sense. We do not accept your network diagram. We trace a live transaction end to end, then hunt for the systems you forgot: the jump host an engineer built two years ago, the log aggregator that stores masked-but-recoverable PANs, the disaster-recovery site nobody patches. Scope in a ROC is proven, not asserted. This is where most first-time ROC clients discover their environment is 40 percent bigger than they thought.
Then comes evidence. For Requirement 8 (identity and access) we do not accept a password policy PDF. We pull the actual authenticator configuration, sample twenty accounts, and check that MFA is enforced into the cardholder data environment, that shared IDs are gone, and that a leaver from three months ago is actually deprovisioned. For Requirement 10 (logging) we ask you to show a genuine investigation using your logs, live, in the room. For Requirement 11.3 we read the penetration test report, then ask the tester to explain a finding they closed. A SAQ asks did you do this. A ROC asks show me, and then asks show me again for a different sample.
The v4.0.1 additions have made this heavier. The customised approach lets you meet a requirement objective by an alternative control, but you must produce a targeted risk analysis for each one, and the QSA has to validate your reasoning. Requirement 6.4.3 and 11.6.1 now demand active management and change-detection of payment-page scripts, precisely the client-side attack that has burned so many Indian e-commerce merchants. If you have deferred these thinking v3.2.1 rules still apply, that grace period is over.
Cost, time, and effort: an honest comparison
The figures below are indicative Indian market ranges for a mid-sized environment. They move with scope, number of sites, cloud footprint, and how much remediation you need. Treat them as planning numbers, not quotes.
| Dimension | SAQ path | QSA ROC path |
|---|---|---|
| Who performs it | You, self-assessed | Certified QSA firm |
| Typical fee | Nil to modest advisory | ₹8,00,000 to ₹35,00,000+ per year |
| Elapsed time | Days to a few weeks | 10 to 16 weeks first year |
| ASV scans | Required for A-EP, B-IP, C, D | Required, quarterly |
| Penetration test | Required for most SAQ D | Mandatory, internal and external |
| Evidence depth | Answers and policies | Sampled artefacts, live demonstrations |
| Personal liability on signature | High, sits with you | Shared with an accountable assessor |
Notice the last row. A SAQ feels cheaper because you sign it yourself. That is exactly why it can be expensive. When a breach happens, the forensic investigator (a PFI, a PCI Forensic Investigator) compares your attestation to reality. If you attested to controls you did not have, the acquirer can claw back fines, non-compliance assessments, and card-reissuance costs, and your safe-harbour evaporates. A wrong SAQ is not a saving. It is deferred, amplified cost.
So which path do you actually need?
Strip away the noise and it comes down to three questions, in order.
- Are you Level 1, a breached merchant, or an RBI-regulated payment aggregator? Then it is a ROC, and the SAQ conversation is moot.
- Does your acquirer or sponsor bank require QSA involvement in writing? Their letter overrides the brand table.
- If neither forces a ROC, which is the honest, cheapest SAQ your true card-data flow allows? Pick that, and reduce scope aggressively so you can defend it.
There is a fourth, quieter reason to choose a ROC even when a SAQ is permitted: assurance for someone who matters. Enterprise customers, especially banks and insurers you sell to, increasingly demand a QSA AOC rather than a self-signed one during vendor due diligence. If a self-signed SAQ is costing you deals, a ROC is a commercial instrument, not just a compliance one.
A scene from a sponsor-bank review
A payment aggregator we assessed had grown from a SAQ A-EP mindset into handling tokenised flows for dozens of merchants. On volume they were arguably Level 2. Their sponsor bank, carrying RBI exposure on the escrow account, sent a two-line email: annual QSA ROC, or the account is suspended in ninety days. There was no negotiation and no brand table to appeal to. We ran the ROC, found their token vault logging was incomplete against Requirement 10, fixed it in six weeks, and they kept the account. The lesson is that in India your riskiest stakeholder, not the transaction count, often sets your validation path.
The fix-it checklist before you commit to a path
- Draw a real, current cardholder-data-flow diagram and validate it against live network capture, not memory.
- Confirm your merchant level with each brand you accept, and get your acquirer's required validation type in writing.
- If you are RBI-regulated or bank-sponsored, ask your sponsor bank explicitly whether a QSA ROC is a licence or account condition.
- Run the five-minute SAQ scoping test and pick the SAQ type your true data flow dictates, not the shortest form.
- Eliminate stored PAN wherever possible, tokenise, and use P2PE or full redirect to collapse scope before you assess.
- Stand up the v4.0.1 must-dos now: payment-page script inventory and change detection (6.4.3, 11.6.1), MFA into the CDE, and targeted risk analyses for any customised controls.
- Book your ASV scans and penetration test early; these are the usual cause of a slipped deadline.
- If enterprise clients demand assurance, weigh a voluntary ROC as a sales enabler, not just a cost.
Come back to that merchant with the void SAQ. His mistake was not laziness. It was that no one ever sat across the table and asked whether his attestation matched his architecture. The SAQ was designed to let honest, low-risk merchants self-assess cheaply, and it does that well. It fails only when it is used as a way to avoid looking at your own environment. A ROC is not a punishment for being big. It is what you use when the truth needs to be proven, not promised.
If you are unsure which side of that line you sit on, that is the exact question we answer for a living. CyberSigma runs PCI DSS scoping and QSA assessments hands-on as CERT-In empanelled auditors, and we would rather tell you your real SAQ in an afternoon than certify a fiction. Talk to us before you sign anything.
FAQs
Can I choose a ROC even if my transaction volume only requires a SAQ?
Yes. Any merchant may voluntarily undergo a QSA ROC, and many do it because enterprise customers, banks, or insurers demand a QSA-signed Attestation of Compliance during vendor due diligence rather than a self-signed SAQ. It is a stronger assurance and often a commercial advantage.
Does the RBI mandate a ROC over a SAQ for Indian payment companies?
The RBI does not name SAQ or ROC directly, but its Payment Aggregator guidelines and the Master Direction on Digital Payment Security Controls require PCI DSS compliance validated by an independent assessor for card-handling systems. In practice, regulated aggregators and bank-sponsored fintechs are almost always required to produce an annual QSA ROC by their sponsor bank, regardless of transaction volume.
What is the real difference between SAQ A and SAQ A-EP?
SAQ A applies only when all card handling is fully outsourced via a complete redirect or a gateway-served iframe, so no card data or payment-page code touches your systems. SAQ A-EP applies when your website can affect the payment page, for example via a direct-post or a JavaScript SDK you host. A-EP adds roughly 120 requirements plus quarterly ASV scanning. Misclassifying A-EP as A is the most common and most dangerous SAQ error.
How much does a PCI DSS ROC cost in India and how long does it take?
For a mid-sized environment, expect indicative QSA fees of around ₹8,00,000 to ₹35,00,000 or more per year, plus ASV scans and penetration testing, with a first-year timeline of roughly 10 to 16 weeks. Cost and duration scale with the number of sites, cloud footprint, and how much remediation you need before the assessment can pass.
Does being breached change which validation path I need?
Yes. A compromise generally pushes a merchant to Level 1 for the brands involved, which mandates a QSA ROC going forward, irrespective of your normal transaction volume. This is one more reason a self-signed SAQ that overstates your controls is risky: after an incident, the difference between your attestation and reality is examined directly.
Is SAQ D just a longer SAQ, or is it effectively the full standard?
SAQ D is effectively the full PCI DSS, with over 300 requirements, and applies to any merchant who stores the Primary Account Number or does not fit a narrower SAQ category. If you store card data anywhere, including logs, backups, CRM notes, or call recordings, you are on SAQ D and should seriously consider whether a QSA-led assessment is more defensible than self-attesting to the entire standard.
Liked the post? Share on:





Leave A Comment