Frequently Asked Question
If a merchant has multiple processing environments, should the merchant complete multiple SAQ to validate their PCI DSS compliance?
Merchants should always contact their acquirer (merchant bank), or payment brand directly to understand their compliance validation obligations, including which SAQ they may be eligible to use. Contact details for the payment brands can be found in FAQ #1142 “How do I contact the payment card brands?”
For multiple payment channels, it may be possible for a merchant to complete a different SAQ for each payment channel, or for a single SAQ to be used that addresses all the requirements for all channels combined. If different SAQs are used, each channel must meet the eligibility criteria for the applicable SAQ, and adequate network segmentation must be in place to isolate the different channels.
In all cases, details of the environment(s) covered by a SAQ must be documented in the Attestation of Compliance, Part 2: Executive Summary.