Frequently Asked Question

Are merchants required to perform the “Expected Testing” in the SAQs?

Yes. The Expected Testing column of each SAQ provides a high-level description of the types of testing activities that should be performed in order to determine whether a requirement is in place. The individual(s) responsible for performing the self-assessment (that is, the merchant or service provider, or their QSA) is expected to perform these testing activities.

The instructions in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and allows the entity to determine whether the requirement is properly implemented, thus enabling them to accurately complete the SAQ.  Refer to the section “Understanding the Self-Assessment Questionnaire” in the applicable SAQ for further guidance.


January 2015
Article Number: 1316