PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1134 Published

What are the steps needed to use the Self-assessment Questionnaire (SAQ) to validate compliance with PCI DSS?

In accordance with payment brands? compliance programs, those merchants and service providers who are permitted by the payment brands to validate their compliance with the PCI DSS using a Self-assessment Questionnaire (SAQ) may need to complete the following steps:

  1. Complete the SAQ according to the Self- Assessment Questionnaire Instructions and Guidelines document.
  2. Complete a clean vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
  3. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ).
  4. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer or payment brand.

Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.