PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1134 » Versions » Diff

Diff: FAQ #1134

What are the steps needed to use the Self-assessment Questionnaire (SAQ) to validate compliance with PCI DSS?

Earlier Version
Later Version
Removed
Added
InMerchants and service providers that validate PCI DSS compliance using a Self-Assessment Questionnaire (SAQ) will typically complete the following steps:


Identify the SAQ that applies to your environment, using the Self- Assessment Questionnaire Instructions and Guidelines document (available in the PCI SSC Documents Library) for guidance. Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.


Confirm your environment is properly scoped and meets all the eligibility criteria for the SAQ being used.


Perform the self-assessment activities as described in the Expected Testing column of the SAQ, and enter a response for each requirement included in the SAQ.


Complete all sections of the SAQ and Attestation of Compliance (AOC). AOCs are included within each SAQ and also provided as separate, standalone documents.


If required as part of your compliance, complete external vulnerability scans using a PCI SSC Approved Scanning Vendor (ASV), and obtain passing scan reports from the ASV.


Submit the required documentation to your acquirer or payment brand, in accordance with the applicable payment brands?brand compliance programs, those merchants and service providers who are permittedprograms.  Your compliance documentation may include the full SAQ, AOC, and/or ASV scan reports, as well as other documentation requested by theyour acquirer or payment brands to validate their compliance with the PCI DSS using a Self-assessment Questionnaire (SAQ) may need to complete the following steps:

Complete the SAQ according to the Self- Assessment Questionnaire Instructions and Guidelines document.
Complete a clean vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
Complete the relevant Attestation of Compliance in its entirety (located in the SAQ).
Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer or payment brand.

Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.