Most Canadian businesses that accept credit cards are Level 2, 3, or 4 merchants — meaning they complete a Self-Assessment Questionnaire (SAQ) instead of a full audit. This is approximately 95% of merchants by count, and the segment most ignored by compliance firms that focus on large enterprises. ThreeShield delivers PCI DSS 4.0 compliance for SAQ-eligible merchants directly: correct SAQ type determination, remediation, evidence documentation, and annual refresh.
If your business processes fewer than 6 million Visa or Mastercard transactions per year, you are a Level 2, 3, or 4 merchant. You complete a PCI DSS Self-Assessment Questionnaire (SAQ) — not a full Report on Compliance. ThreeShield delivers this entire process: determining your correct merchant level and SAQ type, implementing missing controls, completing the SAQ, and submitting your Attestation of Compliance. No QSA required.
If you process 6 million or more Visa or Mastercard transactions annually, you are a Level 1 merchant and require a Report on Compliance (ROC) issued by a Qualified Security Assessor (QSA). ThreeShield is not a QSA. For Level 1 merchants, ThreeShield delivers readiness work and refers to vetted QSA partners, with coordination across both engagements. Contact us to discuss →
The wrong SAQ type creates compliance obligations you don't actually have — or worse, understates your scope and leaves you non-compliant. Most merchants (and their IT people) don't know which SAQ applies to how they accept cards. ThreeShield determines this first, before any remediation work.
E-commerce merchants that have fully outsourced all card data functions to a PCI-compliant third party. No card data on your systems, no card data in your browsers. 22 requirements. The smallest SAQ.
E-commerce merchants that outsource card processing but whose website scripts could affect the payment page security. Requires more control validation than SAQ A.
Card-present merchants using standalone, dial-out terminals (B) or IP-connected terminals (B-IP). No electronic cardholder data storage.
Merchants using payment application systems (C) or web-based virtual terminals (C-VT) with payment systems isolated from other systems.
All other merchants not covered by the above. The most comprehensive SAQ. Applies if you store cardholder data, or have complex environments. ThreeShield's scope reduction work often moves merchants from SAQ D to a less complex type.
Before choosing a SAQ type, ThreeShield reviews your card acceptance environment for scope reduction opportunities — network segmentation, outsourcing opportunities, and architectural changes that can move you from a larger SAQ type to a smaller one. This is where the real compliance cost savings happen.
How do you accept cards? What's in scope? Which SAQ type applies? Scope reduction opportunities identified.
Lavawall® deployed. Gap analysis against your SAQ type's requirements. Findings prioritized by risk and compliance deadline.
Critical gaps addressed. Network segmentation validated. ASV scans coordinated. Evidence documented.
SAQ completed accurately. Attestation of Compliance issued. Evidence package compiled.
Your bank or payment processor is asking you to complete your annual PCI DSS Self-Assessment Questionnaire (SAQ). This is a required compliance activity for all merchants that accept credit or debit cards. The specific form you need to complete depends on how you accept cards — there are six SAQ types (A, A-EP, B, B-IP, C, C-VT, D), and choosing the wrong one creates either unnecessary compliance burden or gaps in your actual compliance. ThreeShield determines which SAQ type applies to your situation and completes the questionnaire with you.
Using a PCI-compliant payment processor reduces your scope significantly, but it doesn't eliminate your PCI obligations entirely. Your merchant account still requires annual attestation. How your website or systems interact with the payment process affects your SAQ type. And if your network, systems, or staff practices create risk around cardholder data — even data you hand off to Stripe — that's still in scope. Most businesses using Stripe or Square qualify for SAQ A or SAQ A-EP, which is far less onerous than SAQ D, but the attestation is still required.
ThreeShield starts with a clean-slate scoping session — what card data your business touches, how it's processed, what systems are involved, and what controls you already have in place. Most businesses that haven't done PCI compliance before have gaps, but the gaps are usually addressable within 30–60 days. Merchants that discover they've been non-compliant for years are not automatically penalized for the past — the goal is to get compliant now and stay compliant with Lavawall® ongoing monitoring.
ThreeShield delivers readiness work for Level 1 merchants (6M+ transactions) and refers to vetted QSA partners for the formal Report on Compliance that Level 1 requires. We can coordinate the full engagement — one project manager across the readiness work and the QSA assessment — so you're not managing two separate vendor relationships. Contact us to discuss your Level 1 situation.
ThreeShield delivers PCI DSS compliance for Level 2, 3, and 4 merchants (under 6M Visa/MC transactions annually) directly — merchant level determination, SAQ selection, gap analysis, remediation, and Attestation of Compliance. No QSA required. Level 1 merchants requiring a Report on Compliance are referred to a QSA partner.
Our full audit authority statement →Most merchants complete this in 30–60 days. Book a scoping call and we'll tell you which SAQ type applies to your business.
Book a Scoping CallFree Domain Scan →Fixed scope. No hourly billing. No minimums.