PCI Security Standards Council Bulletin: Update to FAQ 1331

2025-05-23T14:22:57+00:00 PDF

PCI Security Standards Council Bulletin: Update to FAQ 1331

23 May 2025

The PCI Security Standards Council (PCI SSC) has published an update to FAQ 1331: “Can SAQ
eligibility criteria be used as a guide for determining applicability of PCI DSS Requirements for merchant
assessments documented in a Report on Compliance (ROC)?”

Based on stakeholder feedback, this FAQ has been updated to clarify that merchants should work with
their Qualified Security Assessor (QSA) to understand the merchant’s environment. If the merchant and
QSA agree that applying only the requirements included in an SAQ is an acceptable approach to securing
the merchant’s environment, then that SAQ may be used as a relevant guide for applicability of PCI DSS
requirements for that environment. If that environment meets some, but not all, eligibility requirements for
a particular SAQ, then that SAQ should not be considered as a relevant guide for applicability of
requirements.

Merchants should always consult with the organizations that manage their compliance programs (i.e.,
payment brands and acquirers) to confirm their PCI DSS validation and reporting method. If a detailed
assessment and ROC is the appropriate method, merchants meeting the eligibility criteria from an SAQ
should also confirm that the approach outlined in FAQ 1331 is acceptable.

Contact information for the payment brands can be found in FAQ #1142: How do I contact the payment
card brands?

FAQ 1331 is now available on the PCI SSC website.

###