PCI DSS Manual Self-Assessment Questionnaire

 

1. PAI Secure Overview
2. PCI DSS Tutorial
3. Self-Assessment Questionnaire
4. Data Breach Indemnification
5. Network IP Scan
6. FAQ

PAI Secure – PCI DSS Self-Assessment Questionnaire

For Level 2, 3 and 4 merchants and service providers (see level definitions here), completing the PCI Self Assessment Questionnaire (SAQ) is one validation requirement that must be met.

The Self Assessment Questionnaire is divided into sections based on the 12 PCI DSS requirements.

It serves as a checklist to make certain that a merchant has completed the PCI DSS security steps to protect credit card data.

The SAQ identifies any area of non-compliance.

Preparing Your Responses

In order to properly address the items in the questionnaire, be sure to read and review the PCI Data Security Standard (PCI DSS). You can find the standards at http://www.pcisecuritystandards.org.

After going through the PCI DSS documents you may discover your organization already meets the PCI DSS requirements. If so, do the following:

1. Complete the PCI SAQ.
2. Send the document to paisecuresaq@paymentallianceintl.com or fax to: 866-851-5183
   
   

However, should your organization not meet the PCI DSS requirements stated in the questionnaire, do the following:

1. Print and distribute the SAQ to the appropriate authorities within your organization to obtain accurate answers.
2. Take the steps necessary to establish a set of correct answers.
3. Complete the PCI SAQ.
4. Send the document to paisecuresaq@paymentallianceintl.com or fax to 866-851- 5183.

 

Scoring the Questionnaire

Merchants and service providers must answer all of the questions on the PCI Self Assessment Questionnaire with a 'Yes' or 'N/A' in order to be compliant according to the PCI DSS.

If a merchant/service provider answers 'No' to any question, the organization is deemed “Non Complaint” and must take the steps to become compliant.

The open items identified by the SAQ must be resolved, in conjunction with recommendations from your Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA).

 

Sending the PCI DSS SAQ

Once the requirements have been met and the questionnaire has been completed, it should be sent to paisecuresaq@paymentallianceintl.com or faxed to 866-851-5183. A successful PCI scan report from an approved scanning vendor should be included if deemed necessary (see Network IP Scanning).

 

 

	Choose the description that best fits the way you accept credit cards.	Examples	SAQ
	Card-not-present  (e-commerce or mail/telephone-order) merchants. All cardholder data functions are outsourced. This would never apply to face-to-face merchants.	PayPal, Google Checkout	A
	Imprint-only merchants with no electronic cardholder data storage.	Telephone Authorizations, Dial Pay or Touch Tone Capture (TTC)	B1
	Stand-alone dial-up terminal merchants with no electronic data storage.	Telephone Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture	B2
	Merchants with payment application systems connected to the internet and no electronic cardholder data storage.	Internet Cable Connected to: PAI-Trex, VeriFone, Hypercom, or similar terminals that perform authorizations and data capture, or PC Systems such as PC Charge, Micros, Aloha	C
	Merchants with Web-based Virtual terminals and no electronic cardholder data storage	Internet Cable Connected to: Isolated virtual terminal on personal computers connected to the internet	C-VT
	All other merchants  (not included in descriptions for SAQ Forms A-C above)	All others not described in the above examples	D

 

 

 

 

 

Payment Alliance International is a registered ISO/MSP with HSBC Bank, USA, National Association, Buffalo, NY
Payment Alliance International is a registered ISO/MSP with First National Bank of Omaha
Payment Alliance International is a registered ISO/MSP of Merrick Bank, South Jordan, UT 84095