Don’t let your merchant level confuse you on whether to achieve compliance with PCI DSS SAQ C or D. Complete compliance requires meeting SAQ D standards and complete data security goes beyond that. Many merchants believe that since they process fewer transactions, they only have to comply with SAQ C. This statement is incorrect. Those merchants are only required to fill out the SAQ C but must maintain full PCI DSS compliance at all times as stated in the formal attestation. Full PCI DSS compliance means compliance with all 286 controls of the SAQ D.
