Merchants have long been confused and misinformed about which SAQ to fill out. The short form is most desired, easy and simple – SAQ A with 13 questions or SAQ B with 25, or SAQ C with 80. If a merchant needs only one of these and the rest don’t apply, yes it is absolutely fine. However, the instance of hack and breach are more common in these merchants. How do they secure their data too!
Storefront Backtalk has a very relevant article that talks about SAQ D as a mandate for merchant levels 2, 3, and 4. It also says that it would make sense to use the shortened SAQs as guidance, since “according to payment brand rules, all merchants and service providers are required to comply with the PCI DSS in its entirety.”
The short SAQs also has this statement, “If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI compliant.”
It is certain this topic will get more attention in the future. In the meantime, retailers should brace themselves for a change to SAQ D as the only acceptable standard to meet all PCI DSS requirements and to finally sign off as PCI compliant.