Completing the SAQ
There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.
Examples of merchant environments that would use SAQ D includes but not limited to:
- E-commerce merchants who accept cardholder data on their website.
- Merchants with electronic storage of cardholder data.
- Merchants that donβt store cardholder data electronically but that do not meet the criteria of another SAQ type.
The Official SAQ D has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories.
| Type of Activity | Description |
|---|---|
| Organizational and People activities | Establish organizational policies and conduct staff training. |
| Infrastructure activities | Implement security measures in your cloud environment handling card data. |
| Access controls | Restrict infrastructure access to essential personnel. |
For further assistance, please contact us at hyperswitch@juspay.in
Final Steps
- Network Scan: Select a PCI-approved scanning vendor from the official list and obtain a network scan report. This process, typically automated by Approved Scanning Vendors (ASVs), should be conducted quarterly and usually completes within a few hours.
- Complete SAQ D: Fill out the SAQ D and retain a copy for your records.
You are PCI compliant now!!
It's essential to submit your network scan report and Self-Assessment Questionnaire (SAQ) to your payment processor or acquirer.
Submission methods vary; some processors provide a dashboard for uploads, while others prefer email communication. Ensure you adhere to your processor's specific requirements and submission schedule, typically on a quarterly basis.