PCI DSS 4.0: SAQ or RoC, and How to Decide in 2024

Compliance

PCI DSS 4.0 became mandatory in March 2024 and the SAQ versus RoC choice has real cost implications. Merchant level thresholds, sampling logic, and where most teams misread their obligations.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 13, 2024 · 7 min read

PCI DSS 4.0 fully replaced 3.2.1 on 31 March 2024. A few transitional requirements remain best-practice until 31 March 2025, but the rest are mandatory now. The first decision any merchant or service provider faces is whether they file a Self-Assessment Questionnaire or commission a Report on Compliance. Getting this wrong is expensive in both directions.

Merchant level thresholds

Visa and Mastercard publish slightly different thresholds, but the working definitions in 2024 are: Level 1 means more than 6 million transactions per year, Level 2 means 1 to 6 million, Level 3 means 20,000 to 1 million ecommerce transactions, Level 4 means everything below that. Service providers crossing 300,000 transactions per year fall into Level 1 service provider scope.

• Level 1 merchants: mandatory RoC by a QSA every year
• Level 2 merchants: SAQ D plus quarterly ASV scans, RoC optional but often pushed by acquirers
• Level 3 merchants: SAQ A, A-EP, or D depending on architecture
• Level 4 merchants: SAQ at the discretion of the acquirer, often A or B-IP

The SAQ types that trip people up

SAQ A applies only if you fully outsource cardholder data and your website does not even render the payment form. SAQ A-EP applies the moment your site touches the payment page, even via an iframe with custom JavaScript. The 4.0 revision tightened this with requirement 6.4.3 and 11.6.1, which mandate script integrity monitoring and tamper detection. Most ecommerce stores using a hosted checkout still drift into A-EP scope because of analytics, chat widgets, or A/B testing scripts on the checkout page.

Cost difference

A QSA-led RoC for a Level 1 merchant in 2024 runs 60,000 to 250,000 USD depending on environment complexity, segmentation, and number of locations. A Level 2 SAQ D with quarterly ASV scans and an internal vulnerability program runs 15,000 to 40,000 USD per year including tooling. Level 3 SAQ A merchants can stay under 8,000 USD per year if their architecture is clean.

Sampling logic for service providers

If you operate a multi-tenant SaaS platform and your customers fall into PCI scope, your service provider RoC sampling matters. QSAs sample environments, not customers. A poorly segmented multi-tenant database forces the QSA to treat every tenant as in-scope. Segmentation testing under requirement 11.4.5 is now annual and uses penetration testing to validate isolation between tenants.

Practical decision tree

1. Confirm transaction volume with your acquirer in writing, not your internal data warehouse
2. Map every script that loads on any page that touches the payment form
3. Decide whether to invest in tokenization or hosted iframes to drop to SAQ A scope
4. If staying in SAQ A-EP or D, budget for ASV scans and quarterly internal vulnerability assessments
5. Engage a QSA early for any RoC, six months before the assessment window

Enforcement reality

Acquiring banks rarely audit your SAQ for accuracy. They will check that you filed one. Where enforcement bites is post-breach. A merchant that filed SAQ A while operating in A-EP territory faces fines, forensic investigator fees, and card brand penalties that easily exceed the cost of correct scoping. We have seen these run to 400,000 USD for what should have been a 25,000 USD program.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.