We use cookies to give you the best browsing experience and to help us understand how you use our site. Cookies are small snippets of data stored on your computer and some have already been set. By continuing to use our website you are accepting our use of cookies. To find out more, read about cookies

Please note

We cannot answer specific queries about your account here. For Account queries please

Your selected question

I don't understand the PCI DSS self assessment questionnaire (SAQ)?

The SAQ's are a series of questionnaires that are required to be completed by merchants all around the world. The forms originated and are maintained by the Payment Card Industry Security Standards Council (PCI SSC) and the forms are available on their website. The current version is 2.0.
There are 2 forms to complete the Attestation of Compliance (AOC) and the Self Assessment Questionnaire (SAQ). The SAQ downloads include the AOC; however the AOC is separately downloadable from the PCI SSC website.
Here's some tips on completion of the forms; taking SAQ A as an example....

• Part 1 of the AOC need only be completed if a Qualified Security Assessor (QSA) company is engaged to assist the merchant in the completion of their SAQ.

• Part 2a
          DBA(s): Doing Business As, which is equivalent to UK Trading Names (to be completed if different to Company Name).
          Title: is the Job title of the person completing the AOC.
          State/province: UK County required here
          ZIP: UK postcode required here
          URL: website addresses/domain names

• Part 2b Relationships; compliant third-party Service Providers can be found on the Visa and MasterCard websites (see the link on our home page). Barclaycard is an Acquirer; a merchant may also process with other Acquirers e.g. RBS or First Data. If the questions in 2b are answered ‘NO' it doesn't mean that the merchant is non compliant.

• Part 2c Eligibility to complete; all boxes must be ticked; if not SAQ A may not be the applicable SAQ for how the payments are processed.

• Part 3 PCI DSS Validation; only one box should be completed.

• Part 3a Confirmation of Compliant Status; all boxes must be ticked.

• Part 3b: sign and print the name and job title of the person completing the form.

• Part 4; Only to be completed if Non Compliant; the compliance status must be completed for  each requirement; if any are answered NO, an action plan must also be completed.

• SAQ completion principles:
          a. If any of the questions are answered no, then the status overall will be ‘non-compliant' until all questions can be answered yes or in some cases n/a.
          b. If any question is answered n/a or yes but there is a compensating control; then details must be provided on a separate sheet and approved by the QSA and/or Acquirer.
          c. The compensating control appendix is only required to be completed if the specific requirements of the standard cannot be met.
          d. The completion of the forms should not be seen as a test; the idea is that each question is carefully considered and if the merchant has security measures in place that satisfy each requirement then that's great, if not the merchant should implement the necessary measures to make sure they can answer yes.
          e. Some questions are difficult to understand because of the way it is phrased e.g. "Do not store the PIN ......." If the PIN is not stored the answer will be ‘YES'

How useful did you find the answer given?

Not at all Very useful