Frequently Asked Question

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

Merchants and service providers should always consult with their acquirer (merchant bank) or payment brand directly, as applicable, to confirm their PCI DSS validation and reporting method (e.g. whether to complete an onsite assessment and Report on Compliance (ROC), or a self-assessment and SAQ). If an onsite assessment and ROC is the appropriate method, the merchant should also confirm that the approach outlined below is acceptable. Contact information for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?

Entities with environments that fully meet all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.  This approach must be clearly documented in “Description of Scope of Work and Approach Taken” section of the ROC as follows:

  • Identify the eligibility criteria for the applicable SAQ
  • For each criteria, document how the assessor verified that the merchant environment meets the criteria

The assessor will need to perform appropriate testing and validation to verify the non-applicability of any PCI DSS requirements. As an example:  If an e-commerce merchant has a webserver using a URL redirect to a PCI DSS compliant third party payment processor, the assessor will need to verify that the merchant environment, including redirection method and the configuration of the web server, meets all the eligibility criteria for SAQ A before they can consider using that SAQ for guidance. This would include verifying that the merchant accepts only card-not-present transactions, does not electronically store, process, or transmit any cardholder data on its systems or premises, that all processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers, and that all the other eligibility criteria for SAQ A are met.

Any PCI DSS requirements verified by the assessor to be not applicable should be reported as “Not Applicable” in accordance with instructions in the “ROC Summary of Assessor Findings” section in the PCI DSS ROC Template.

If an environment meets some but not all eligibility criteria for a particular SAQ, then the SAQ should not be considered a relevant guide for applicability of requirements.

January 2017
Article Number: 1331