PCI DSS Self-Assessment Questionnaire (SAQ)
The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.
There are multiple versions of the PCI DSS SAQ to meet various business scenarios. A chart to help you determine which SAQ best applies to you and how to complete the SAQ is linked below, and is also included in the Instructions and Guidelines Document.
Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation, as shown in the table below – this determines validation type. The SAQ validation type is not correlated with a merchant’s classification or risk level.
Executing the SAQ
The PCI DSS SAQ consists of two components: a set of questions corresponding to the PCI DSS requirements, which are appropriate to service providers and merchants, and an Attestation of Compliance. The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment. The correct Attestation will be packaged with the SAQ that you select below.
Before you download and begin to execute your SAQ, take a moment to review the SAQ Instructions and Guidelines, along with information on how the SAQ fits in the overall PCI Data Security Standard landscape: