Diff: FAQ #1331
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?
Earlier Version
2023-09-21 00:00:00 UTC
2023-09-21 00:00:00 UTC
Later Version
2025-05-23 09:27:57 UTC
2025-05-23 09:27:57 UTC
Removed
Added
Service providers cannot use SAQ eligibility criteria to determine applicability of PCI DSS requirements for assessments documented in a Report on Compliance. The only acceptable SAQ for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use only.
Merchants with environments that fully meet all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment. This approach must be clearly documented in ?Description of Scope of Work and Approach Taken? section of the ROC.
For PCI DSS v3.2.1, this includes the following:
Identify the eligibility criteria for the applicable SAQ,
For each criteria, document how the assessor verified that the merchant environment meets the criteria.
For PCI DSS v4.0, this approach is documented as specified in ROC Section 3.1.
The assessor will need to perform appropriate testing and validation to verify the non-applicability of any PCI DSS requirements. As an example: If an e-commerce merchant has a webserver using a URL redirect to a PCI DSS compliant third-party payment processor, the assessor will need to verify that the merchant environment, including redirection method and the configuration of the webserver, meets all the eligibility criteria for SAQ A before they can consider using that SAQ for guidance. This would include verifying that the merchant accepts only card-not-present transactions, does not electronically store, process, or transmit any account data on its systems or premises, that all processing of account data is entirely outsourced to PCI DSS validated third-party service providers, and that all the other eligibility criteria for SAQ A are met.
Any PCI DSS requirements verified by the assessor to be not applicable should be reported as ?Not Applicable? in accordance with instructions in the Report on Compliance (ROC). Template. he only acceptable SAssessors should refer to the Q for service providers is SAQ D for Service Providers. All other SAQs are intended for merchant use only.
Merchants should work with their QSA to fully understand the merchant’s environment. If they are able to reach agreement that applying only the requirements included in an SAQ is an acceptable approach to secure that merchant’s environment, then that SAQ may be used as a relevant guide for applicability of PCI DSS requirements for that environment. If an environment meets some but not all eligibility criteria for a particular SAQ, then the SAQ should not be considered a relevant guide for applicability of requirements. This approach must be clearly documented by the QSA in "Description of Scope of Work and Approach Taken" section 3.1 of the (ROC ).
Template andhe assessor will need to perform appropriate testing and validation to verify the non-applicability of any PCI DSS requirements. As an example: If an e-commerce merchant has a webserver using a server-side redirect (for example, HTTP response with a status code 301 or 302) to a PCI DSS compliant third-party payment processor, the assessor could consider requirement 6.4.3 and 11.6.1 as not applicable since the redirection mechanism is not susceptible to script-based attacks.
This approach must be clearly documented by the QSA in "Description of Scope of Work and Approach Taken" section 3.1 of the ROC. Any PCI DSS requirements verified by the assessor to be not applicable should be reported as "Not Applicable" in accordance with instructions in the ROC Template. Assessors should refer to the ROC Template and ROC Template FAQs for the version of the standard being used for relevant guidance.
If an enn all cases, the merchant is still expected to include PCI DSS Requirement 12.5.2 to document and confirm their PCI DSS scope at least once evironment meets some but not all eligibility criteria for a particular Sery 12 months. The merchant’s assessor is expected to include an assessment of Requirement 12.5.2 and document results in the merchant’s ROC. See PCI DSS v4.x “AQ, then the SAQ should not be considered a relevant guide for applicability of requirements.nnual PCI DSS Scope Confirmation” for more details.
Merchantsand service providers should always consult with their compliance acceptin org entity?such as theiranizations that manage compliance programs (for example, payment brands and acquirer (merchant banks), payment brand, or other entity? to confirm their PCI DSS validation and reporting method. If a detailed assessment and ROC is the appropriate method, merchants meeting the eligibility criteria from an SAQ should also confirm that the approach outlined above is acceptable. Contact information for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
Merchants with environments that fully meet all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment. This approach must be clearly documented in ?Description of Scope of Work and Approach Taken? section of the ROC.
For PCI DSS v3.2.1, this includes the following:
Identify the eligibility criteria for the applicable SAQ,
For each criteria, document how the assessor verified that the merchant environment meets the criteria.
For PCI DSS v4.0, this approach is documented as specified in ROC Section 3.1.
The assessor will need to perform appropriate testing and validation to verify the non-applicability of any PCI DSS requirements. As an example: If an e-commerce merchant has a webserver using a URL redirect to a PCI DSS compliant third-party payment processor, the assessor will need to verify that the merchant environment, including redirection method and the configuration of the webserver, meets all the eligibility criteria for SAQ A before they can consider using that SAQ for guidance. This would include verifying that the merchant accepts only card-not-present transactions, does not electronically store, process, or transmit any account data on its systems or premises, that all processing of account data is entirely outsourced to PCI DSS validated third-party service providers, and that all the other eligibility criteria for SAQ A are met.
Any PCI DSS requirements verified by the assessor to be not applicable should be reported as ?Not Applicable? in accordance with instructions in the
Merchants should work with their QSA to fully understand the merchant’s environment. If they are able to reach agreement that applying only the requirements included in an SAQ is an acceptable approach to secure that merchant’s environment, then that SAQ may be used as a relevant guide for applicability of PCI DSS requirements for that environment. If an environment meets some but not all eligibility criteria for a particular SAQ, then the SAQ should not be considered a relevant guide for applicability of requirements. This approach must be clearly documented by the QSA in "Description of Scope of Work and Approach Taken" section 3.1 of the (ROC
T
This approach must be clearly documented by the QSA in "Description of Scope of Work and Approach Taken" section 3.1 of the ROC. Any PCI DSS requirements verified by the assessor to be not applicable should be reported as "Not Applicable" in accordance with instructions in the ROC Template. Assessors should refer to the ROC Template and ROC Template FAQs for the version of the standard being used for relevant guidance.
I
Merchants