June 18, 2025

What are SAQ D TPSP Service Providers?

June 18, 2025
Ivan Tsarynny
Ivan Tsarynny

TL;DR

  • SAQ D for Service Providers is the most comprehensive version of the PCI DSS Self-Assessment Questionnaire, required for third-party vendors that store, process, or transmit cardholder data.
  • It’s critical for demonstrating compliance with PCI DSS 4.0 and reducing data breach risks.
  • Use this form if your service handles sensitive payment data or has system access to it, even if you don’t directly touch it.
A document labeled SAQ D with a security checkmark, representing PCI DSS compliance requirements for service providers handling payment data.

Introduction: Why SAQ D Matters for Service Providers

Who this guide is for:

This article is for third-party service providers (TPSPs), SaaS platforms, managed security providers (MSPs), hosting companies, and any business that handles or affects the security of payment card data environments (CDE).

Why it matters:

With PCI DSS 4.0 now active, understanding which SAQ applies is crucial. SAQ D for Service Providers is the most rigorous form, covering all 12 PCI DSS requirements and over 300 controls. Failing to comply can lead to fines, breach liabilities, and lost customer trust.

What we’ll cover:

  • What SAQ D for Service Providers includes
  • Who needs to complete it
  • Key compliance areas and challenges
  • Best practices for completion
  • FAQs and how to get started

What is SAQ D for Service Providers?

SAQ D for Service Providers is a self-assessment questionnaire defined by the PCI Security Standards Council (PCI SSC). It’s designed for third-party service providers who store, process, transmit cardholder data or manage components of a customer’s Cardholder Data Environment (CDE).

Unlike other SAQ types (like A, A-EP, or C), SAQ D is not a simplified form. It includes every PCI DSS control — meaning full compliance is expected.

SAQ D covers:

  • All 12 PCI DSS Requirements
  • Controls across network security, access control, vulnerability management, and incident response
  • Physical and logical protections
  • Monitoring, logging, and testing mechanisms

Who Needs to Complete SAQ D?

You must complete SAQ D for Service Providers if you:

  • Provide hosting, payment gateway, or infrastructure services
  • Have access to cardholder data or security-sensitive systems
  • Support or manage encryption, authentication, or firewall components
  • Store logs or provide compliance tools (e.g., session security platforms)

Real-World Examples:

  • A SaaS provider offering customer journey security for eCommerce sites
  • A cloud platform that stores encrypted transaction data
  • A managed detection and response (MDR) vendor monitoring CDE access logs

Even if you do not store cardholder data directly, access to systems that interact with it triggers the SAQ D requirement.

Key Sections of SAQ D for Service Providers

Each SAQ D submission must demonstrate compliance with all 12 PCI DSS Requirements, including:

1. Install and Maintain Secure Systems

  • Harden operating systems
  • Patch known vulnerabilities
  • Configure firewalls and routers securely

2. Protect Cardholder Data

  • Encryption at rest and in transit
  • Tokenization or masking best practices

3. Maintain Access Controls

  • Enforce least privilege
  • Role-based access
  • Multi-factor authentication

4. Monitor and Test Networks

  • File integrity monitoring (FIM)
  • Change detection systems (CDS)
  • Logging and alerting via SIEM or equivalent

Common Challenges and Best Practices

Challenges

  • Scope creep: Failing to limit the scope of systems in the CDE
  • Third-party risk: Relying on vendors who aren’t PCI compliant
  • Misinterpreting shared responsibilities in cloud environments

Best Practices

  • Use segmentation to reduce PCI scope
  • Implement real-time change detection (e.g., [link to PCI 11.6.1 guide])
  • Monitor JavaScript-based threats in user sessions ([link to Session Replay Basics])
  • Review SAQ D annually and after major changes

Comparative Analysis

To illustrate the differences and similarities, consider the following table comparing key aspects, including the applicability of requirements 6.4.3 and 11.6.1:

FAQ

What’s the difference between SAQ D for Merchants and Service Providers?

The service provider version applies to businesses that manage systems or services impacting customer card data, whereas merchant SAQ D applies to those accepting payments directly.

Is SAQ D required if we don’t store card data?

Yes, if you have access to systems that interact with payment data — such as logs, authentication mechanisms, or infrastructure components — SAQ D is still required.

Can we use compensating controls?

Yes, but they must be justified with rigorous documentation and only if a PCI DSS requirement cannot be met directly.

How long does SAQ D take to complete?

Typically 6–12 weeks, depending on your environment size, maturity, and audit readiness.

What version should we use?

As of March 31, 2025, PCI DSS 4.0 SAQ D is mandatory. All previous versions are deprecated.

Maintain Full Visibility

Effortlessly automate PCI-DSS 4.0.1 compliance for SAQ D Third-Party Service Providers (TPSPs), covering Requirements 6.4.3 and 11.6.1 in just minutes.

  • Continuously monitor all scripts across your entire service infrastructure and cardholder data environment (CDE).
  • Ensure script integrity by detecting, blocking, and preventing unauthorized changes across all hosted services.
  • Receive real-time alerts for any unapproved script activities that could impact your customers’ security and compliance.
  • Generate comprehensive compliance reports for internal teams, auditors, and QSAs with ease.
  • Enhance security for all connected merchants by preventing malicious scripts from compromising sensitive cardholder data.
Stay secure, stay compliant, and protect your entire service ecosystem.