FAQ #1134 Diff

What are the steps needed to use the Self-assessment Questionnaire (SAQ) to validate compliance with PCI DSS?

Earlier Version
2008-02-24T00:00:00+00:00

Later Version
2015-07-29T16:55:00+00:00

Removed

Added

~~In accordance with payment brands?~~Merchants and service providers that validate PCI DSS compliance ~~programs, those merchants and service providers who are permitted by the payment brands to validate their compliance with the PCI DSS~~ using a ~~Self-assessment~~Self-Assessment Questionnaire (SAQ) ~~may need to~~will typically complete the following steps:

~~Complete~~Identify the SAQ ~~according~~that applies to your environment, using the Self- Assessment Questionnaire Instructions and Guidelines ~~document.~~document (available in the PCI SSC Documents Library) for guidance. Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.
Confirm your environment is properly scoped and meets all the eligibility criteria for the SAQ being used.
Perform the self-assessment activities as described in the Expected Testing column of the SAQ, and enter a response for each requirement included in the SAQ.
Complete all sections of the SAQ and Attestation of Compliance (AOC). AOCs are included within each SAQ and also provided as separate, standalone documents.
If required as part of your compliance, complete external vulnerability scans using a ~~clean vulnerability~~PCI SSC Approved Scanning Vendor (ASV), and obtain passing scan ~~with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan~~reports from the ASV.
~~Complete the relevant Attestation of Compliance~~Submit the required documentation to your acquirer or payment brand, in its entirety (located in the SAQ).
Submit theaccordance with the applicable payment brand compliance programs. Your compliance documentation may include the full SAQ, ~~evidence of a passing scan, and the Attestation of Compliance, along with any~~AOC, and/or ASV scan reports, as well as other documentation requested ~~documentation, to~~by your acquirer or payment brand.

Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.