PCI DSS Self-Assessment Questionnaire (SAQ)

Overview

The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.

There are multiple versions of the PCI DSS SAQ to meet various business scenarios. A chart to help you determine which SAQ best applies to you and how to complete the SAQ is linked below, and is also included in the Instructions and Guidelines Document.

Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation, as shown in the table below – this determines validation type. The SAQ validation type is not correlated with a merchant’s classification or risk level.

Executing the SAQ

The PCI DSS SAQ consists of two components: a set of questions corresponding to the PCI DSS requirements, which are appropriate to service providers and merchants, and an Attestation of Compliance. The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment. The correct Attestation will be packaged with the SAQ that you select below.

Selecting the SAQ and Attestation that Best Apply to Your Organization 

According to payment brand rules, all merchants and service providers are required to comply with the PCI DSS in its entirety. There are five SAQ categories, shown briefly in the table below and described in more detail in the following paragraphs. Use the table to gauge which SAQ applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ.

SAQ Description
A

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data
functions outsourced. This would never apply to face-to-face merchants.

B Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage.
 C-VT

Merchants using only web-based virtual terminals, no electronic cardholder data
storage.

C

Merchants with payment application systems connected to the Internet, no electronic
cardholder data storage.

D

All other merchants not included in descriptions for SAQ types A through C above, and
all service providers defined by a payment brand as eligible to complete an SAQ.

Please select the one applicable to you from the form or the menu and complete/submit the form.