Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

PCI DSS Self-Assessment Questionnaire (SAQ)

Overview

The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.

There are multiple versions of the PCI DSS SAQ to meet various business scenarios. A chart to help you determine which SAQ best applies to you and how to complete the SAQ is linked below, and is also included in the Instructions and Guidelines Document.

Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation, as shown in the table below – this determines validation type. The SAQ validation type is not correlated with a merchant’s classification or risk level.

Executing the SAQ

The PCI DSS SAQ consists of two components: a set of questions corresponding to the PCI DSS requirements, which are appropriate to service providers and merchants, and an Attestation of Compliance. The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment. The correct Attestation will be packaged with the SAQ that you select below.

Before you download and begin to execute your SAQ, take a moment to review the SAQ Instructions and Guidelines, along with information on how the SAQ fits in the overall PCI Data Security Standard landscape:

Instructions and Guidelines Document

PCI Data Security Standard Self-Assessment: How it All Fits Together

Then:

Select and download your SAQ


Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.