PCI DSS

PCI DSS v4.0 (2026): SAQ vs ROC, QSA vs Self-Assessment — How to Choose

PCI DSS v4.0 is now mandatory. How to tell whether you need an SAQ or a ROC, and whether you need a QSA — without failing on scope.

S
Sahil Dubey
June 23, 2026
3 min read
1 views

PCI DSS v4.0 is now the only active version of the standard, and its future-dated requirements became mandatory in 2025 — so in 2026 every merchant and service provider that touches card data needs a current plan. The two questions that decide your effort and cost are: which validation type applies to you (SAQ or ROC), and do you need a QSA. Here is how to figure that out.

SAQ vs ROC: which validation applies

Your validation path depends on your merchant level (driven by annual transaction volume) and how you handle card data. Self-Assessment Questionnaires (SAQs) cover most small and mid-size merchants; a Report on Compliance (ROC) is required for Level 1 merchants and many service providers. Both conclude with an Attestation of Compliance (AOC).

PathTypically forWho can sign off
SAQ (A, A-EP, D, etc.)Lower-volume merchants by channelSelf-assessment (QSA optional)
ROCLevel 1 merchants, many service providersQSA (or qualified internal auditor)

QSA vs self-assessment

A Qualified Security Assessor (QSA) is required to produce a Level 1 ROC and is often requested by acquiring banks even when an SAQ would technically suffice. For lower levels you can self-assess, but a QSA-partnered readiness engagement reduces the risk of failing on scoping — the single most common reason first assessments fail. A consultant such as Praxis-Q handles scoping, remediation, and SAQ/ROC completion through a QSA partner, including for UAE payment environments aligned to Central Bank requirements.

What changed in v4.0

v4.0 replaced v3.2.1 entirely, added a customised-implementation approach, and introduced future-dated requirements (such as stronger authentication and targeted risk analyses) that are now in force. If your last assessment was against v3.2.1, you have real work to do — do not assume a like-for-like renewal.

How to choose your path

  • Level 1 merchant or service provider: plan for a ROC with a QSA.
  • Lower-volume merchant: identify your correct SAQ type first — scoping errors here cause most failures.
  • UAE / regulated payments: align scope to Central Bank and card-scheme requirements from the start.

Frequently asked questions

Do I need a QSA for PCI DSS?

A QSA is required for a Level 1 Report on Compliance and is often requested by acquiring banks. Lower-level merchants can self-assess with an SAQ, though many use a QSA-partnered advisor to avoid scoping mistakes.

Is PCI DSS v4.0 mandatory now?

Yes. v4.0 is the only active version and its future-dated requirements became mandatory in 2025, so assessments in 2026 must be against v4.0.

What is the difference between an SAQ and a ROC?

An SAQ is a self-assessment questionnaire for eligible merchants; a ROC is a detailed Report on Compliance required for Level 1 merchants and many service providers, typically produced by a QSA. Both end in an Attestation of Compliance.

Free Consultation

Ready to Get Compliant?

ISO 27001, PCI DSS, HIPAA, SOC 2 & more — fast-track in a few weeks.

Book Free Audit →

Tags

pillar:pci-dssPCI DSSv4.0QSAcomparison

Share this article

LinkedInX (Twitter)WhatsApp
S

Sahil Dubey

Compliance & Security Expert

CISA, ISO 27001 LA, AWS Certified. 11+ years in information security, cloud services, and compliance. Founder of Praxis-Q.