Frequently Asked Question

Merchants and service providers that validate PCI DSS compliance using a Self-Assessment Questionnaire (SAQ) will typically complete the following steps:

1. Identify the SAQ that applies to your environment, using the Self- Assessment Questionnaire Instructions and Guidelines document (available in the PCI SSC Documents Library) for guidance. Merchants should consult with their acquirer (merchant bank) or the payment brands directly to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

2. Confirm your environment is properly scoped and meets all the eligibility criteria for the SAQ being used.

3. Perform the self-assessment activities as described in the Expected Testing column of the SAQ, and enter a response for each requirement included in the SAQ.

4. Complete all sections of the SAQ and Attestation of Compliance (AOC). AOCs are included within each SAQ and also provided as separate, standalone documents.

5. If required as part of your compliance, complete external vulnerability scans using a PCI SSC Approved Scanning Vendor (ASV), and obtain passing scan reports from the ASV.

6. Submit the required documentation to your acquirer or payment brand, in accordance with the applicable payment brand compliance programs.  Your compliance documentation may include the full SAQ, AOC, and/or ASV scan reports, as well as other documentation requested by your acquirer or payment brand.