The PCI Data Security Standard Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The questionnaire consists of a set of 12 security requirements sub-divided into 6 broader sections - with each section targeting a specific area of security from the PCI Data Security Standard. All sections must be completed. Completing a Self-Assessment Questionnaire helps online merchants evaluate their security practices and plan compliance with the required PCI Data Security Standard. Further, completing the required SAQ - gives others, such as their Acquiring Bank, the necessary evidence that they are in Compliance with the PCI Data Security Standard.

There are 9 different versions of the self assessment questionnaire. The version that your organization will need to complete depends on how your company handles credit card data - this is called your 'Validation Type'. For some merchants, the appropriate questionnaire is short and simple, while for others it is long and technical. The first five or six questions in the compliance wizard will quickly determine your company's validation type then automatically begin the appropriate questionnaire.

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa.

What are the criteria for passing or failing the questionnaire?

Merchants have to pass (or be able to say 'Not Applicable') to ALL questions to be considered compliant with the PCI Data Security Standard.

Failing any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be remedied and the questionnaire retaken.

Why does HackerGuardian provide the PCI Self Assessment Questionnaire (SAQ)?

We have simplified this often confusing process with the launch of the HackerGuardian PCI Compliance Wizard. The intuitive web-based application guides merchants through every step of the PCI SAQ. Each question is accompanied by expert advice to help the merchant interpret and appropriately answer each question. At the end of the wizard you will find out immediately whether or not your answers qualify your organization as PCI compliant.

HackerGuardian PCI SAQ Benefits

Glad you asked. At the end of your questionnaire you will receive:

  • A Questionnaire Summary - Listing security control areas on which you failed compliance.
  • A custom 'Remediation Plan' for your company containing:
  • A comprehensive List of Remedial Actions that you need to take to attain full PCI compliance.
  • A remediation planning tool enabling task prioritization and project management.
  • A non-compliant resolution summary with links to recommended products and services that will help you cost-effectively resolve non-compliant areas.
  • And of course, a 'ready-to-submit' PCI DSS Self Assessment Questionnaire.

What if I can’t finish it? Your progress is automatically saved after each question - allowing you to log out and return at a later date to complete the questionnaire. Your free account and responses are retained, giving you an opportunity to revise and modify any of your answers. This also allows you to update, schedule and track the progress of outstanding remediation tasks.

Payment Card Industry (PCI) Data Security Standard

Requirements and Security Assessment Procedures | version 3.2

SAQ TypeDescription
ACard-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EPE-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
BMerchants using only: Imprint machines with no electronic cardholder data storage; and/orStandalone, dial-out terminals with no electronic cardholder data storage.Not applicable to e-commerce channels
B-IPMerchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VTMerchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
CMerchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HWMerchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
D-MERAll merchants not included in descriptions for the above SAQ types.
D-SPAll service providers defined by a payment brand as eligible to complete a SAQ.

SAQ Sample

Sample questions taken directly from the Self-Assessment Questionnaire you will take: