PCI DSS Manual Self-Assessment Questionnaire
PAI Secure – PCI DSS Self-Assessment Questionnaire
For Level 2, 3 and 4 merchants and service providers, completing the PCI Self Questionnaire (SAQ) is one validation requirement that must be met.The Self Assessment Questionnaire is divided into sections based on the 12 PCI DSS requirements.
It serves as a checklist to make certain that a merchant has completed the PCI DSS security steps to protect credit card data.
The SAQ identifies any area of non-compliance.
Preparing Your Responses
In order to properly address the items in the questionnaire, make sure to read and review the PCI Data Security Standard (PCI DSS). You can find the standards at http://www.pcisecuritystandards.orgAfter going through the PCI DSS documents you may discover your organization already meets the PCI SSC requirements. If so, do the following:
- Complete the PCI SAQ.
- Send the document to paisecuresaq@paymentallianceintl.com or fax to: 866-851-5183
However, should your organization not meet the PCI SSC requirements stated in the questionnaire, do the following:
- Print and distribute the SAQ to the appropriate authorities within your organization to obtain accurate answers.
- Take the steps necessary to establish a set of correct answers.
- Complete the PCI SAQ.
- Send the document to paisecuresaq@paymentallianceintl.com or fax to: 866-851- 5183
Scoring the Questionnaire
In order to have a valid PCI Self Assessment Questionnaire, merchants and service providers have to answer all of the questions with a 'Yes' or 'N/A' in order to be compliant per the PCI DSS.
If a merchant/service provider answers 'No' to any question, the organization is deemed “Non Complaint” and must take the steps to become compliant.
The open items identified by the SAQ must be resolved, in conjunction with recommendations from your Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA).
Sending the PCI DSS SAQ
Once the requirements have been met and the questionnaire has been completed, it should be sent to paisecuresaq@paymentallianceintl.com or faxed to: 866-851-5183 along with a successful PCI scan report from an approved scanning vendor if deemed necessary (See Network IP Scanning Page).
|
Choose the description that best fit the way you accept credit cards. |
Examples |
Form |
|
|
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions are outsourced. |
PayPal, Google Checkout |
A |
 |
|
Imprint-only merchants with no electronic cardholder data storage. |
Telephone Authorizations, Dial Pay or Touch Tone Capture (TTC) |
B1 |
|
|
Stand-alone dial-up terminal merchants, no electronic data storage. |
Telephone Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture |
B2 |
|
|
Merchants with payment application systems connected to the internet, no electronic cardholder data storage. |
Internet Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture, or PC Systems such as PC Charge, Micros, Aloha |
C |
|
|
All other merchants (not included in descriptions for SAQ Forms A-C above) |
All others not described in the above examples |
D |
|
For more information about completing the Self-Assessment Questionnaire please click here.
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions are outsourced.
This would never apply to face-to-face merchants.
Imprint-only merchants with no electronic cardholder data storage.
Stand-alone dial-up terminal merchants, no electronic data storage.
Merchants with payment application systems connected to the internet, no electronic cardholder data storage.
All other merchants
(not included in descriptions for SAQ Forms A-C above)
