SAQ Guidance
Which PCI Self-Assessment Questionnaire applies to your Cresora integration.
A PCI SAQ (Self-Assessment Questionnaire) documents your compliance with the PCI DSS standard. The right SAQ depends on how your integration handles cardholder data.
SAQ types for Cresora integrations
SAQ A — Lowest scope
Use if: You use the Cresora HPP (Hosted Payment Page) exclusively.
Card data never touches your environment — it's entered directly on Cresora-hosted pages. Your only cardholder data touchpoint is the redirect.
Requirements: ~22 controls. Covers your website, employees, and processes — not your servers.
SAQ A-EP — Low-medium scope
Use if: You use Cresora.js to tokenize card data on your frontend before it reaches your server.
JavaScript on your page collects card data and sends it directly to Cresora. Your server never sees raw card numbers.
Requirements: ~191 controls. Covers your web server, website code, and front-end security.
SAQ D — Highest scope
Use if: You use the API Direct integration (card data passes through your server).
Your server receives, processes, and transmits raw card numbers to Cresora.
Requirements: ~329 controls. Full PCI DSS compliance including network segmentation, vulnerability scanning, penetration testing.
Completing your SAQ
- Download the appropriate SAQ from the PCI Security Standards Council website (pcisecuritystandards.org)
- Answer each question honestly and accurately
- Sign the Attestation of Compliance (AoC)
- Submit a copy to Cresora during certification
Annual renewal
SAQs must be completed annually. Cresora sends reminders 90 days before your current SAQ expires.
Selecting the wrong SAQ (e.g., SAQ A when you should file SAQ D) creates liability for your business. If unsure, consult a Qualified Security Assessor (QSA) or contact Cresora.