Frequently Asked Question

Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
There are multiple versions of PCI DSS SAQs to meet various merchant scenarios, depending on how each merchant organization stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD). For more information on how to determine which SAQ applies best to a merchant environment and how to complete an SAQ, refer to 'PCI DSS Self-Assessment Questionnaire Instructions and Guidelines', available in the Document Library.
Merchants should consult with their compliance-accepting entity - the entity to which the SAQ will be submitted (typically, an acquirer (merchant bank) or the payment brands) to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.
SAQ D for Service Providers is the ONLY SAQ for SAQ-eligible service providers. All other SAQs are for merchant use only.
Refer to FAQ 1215: What is a PCI DSS Self-Assessment Questionnaire?
Related
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Most Popular
-
Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
-
Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
-
Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
Most Recently Updated
-
Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?
-
Are entities allowed to request that cardholder data be provided over end-user messaging technologies?
-
Does PCI DSS allow faxing of payment card numbers?
-
What is the maximum period of time that cardholder data can be stored?
-
To which devices does PCI DSS Requirement 10.4.2 apply?