PAI Secure - PCI DSS Self-Assessment Questionnaire
For Level 2, 3 and 4 merchants and service providers (see level definitions here), completing the PCI Self Assessment Questionnaire (SAQ) is one validation requirement that must be met.
The Self Assessment Questionnaire is divided into sections based on the 12 PCI DSS requirements.
It serves as a checklist to make certain that a merchant has completed the PCI DSS security steps to protect credit card data.
The SAQ identifies any area of non-compliance.
Preparing Your Responses
In order to properly address the items in the questionnaire, be sure to read and review the PCI Data Security Standard (PCI DSS). You can find the standards at http://www.pcisecuritystandards.org.
Scoring the Questionnaire
Merchants and service providers must answer all of the questions on the PCI Self Assessment Questionnaire with a 'Yes' or 'N/A' in order to be compliant according to the PCI DSS.
If a merchant/service provider answers 'No' to any question, the organization is deemed "Non Complaint" and must take the steps to become compliant.
The open items identified by the SAQ must be resolved, in conjunction with recommendations from your Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA).
Sending the PCI DSS SAQ
Once the requirements have been met and the questionnaire has been completed using our online tool, you have completed all the steps necessary.
If you prefer to download and complete your SAQ without using our online tool, please follow the instructions below:
- Complete the PCI SAQ.
- Send the document to firstname.lastname@example.org or fax to 866-851-5183.
Should your organization not meet the PCI DSS requirements stated in the questionnaire, do the following:
- Print and distribute the SAQ to the appropriate authorities within your organization to obtain accurate answers.
- Take the steps necessary to establish a set of correct answers.
- Complete the PCI SAQ.
- Send the document to email@example.com or fax to 866-851- 5183.
A successful PCI scan report from an approved scanning vendor should be included if deemed necessary (see Network IP Scanning).
|Choose the description that best fits the way you accept credit cards.||Examples||SAQ|
(e-commerce or mail/telephone-order) merchants. All cardholder data functions are outsourced.
This would never apply to face-to-face merchants.
|PayPal, Google Checkout||A|
|Imprint-only merchants with no electronic cardholder data storage.||Telephone Authorizations, Dial Pay or Touch Tone Capture (TTC)||B1|
|Stand-alone dial-up terminal merchants with no electronic data storage.||Telephone Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture||B2|
|Merchants with payment application systems connected to the internet and no electronic cardholder data storage.||Internet Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture, or PC Systems such as PC Charge, Micros, Aloha||C|
|Merchants with Web-based Virtual terminals and no electronic cardholder data storage||Internet Cable Connected to: Isolated virtual terminal on personal computers connected to the internet||C-VT|
|All other merchants
(not included in descriptions for SAQ Forms A-C above)
|All others not described in the above examples||D|