5 Steps for PCI DSS SAQ Self-Assessment:

1. Select the SAQ type applicable to you.

2. Verify that the scope of your PCI DSS environment is accurate.

3. Self-assess if

   your environment is compliant with PCI DSS requirements.

4. Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.

5. Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).

Most importantly, choose the SAQ type that suits your environment!

For e-commerce, these SAQ versions may apply:

• Service Providers

SAQ D for Service Provider:

Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.

• Merchants

SAQ A:

For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.

SAQ A-EP:

For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.

SAQ D for Merchant:

For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.