Skip to main content
There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.Examples of merchant environments that would use SAQ D includes but not limited to:
  • E-commerce merchants who accept cardholder data on their website.
  • Merchants with electronic storage of cardholder data.
  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type.
The Official SAQ D has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories.
Type of ActivityDescription
Organizational and People activitiesEstablish organizational policies and conduct staff training.
Infrastructure activitiesImplement security measures in your cloud environment handling card data.
Access controlsRestrict infrastructure access to essential personnel.
For further assistance, please contact us at [email protected]

Final Steps

  1. Network Scan : Select a PCI-approved scanning vendor from the official list and obtain a network scan report. This process, typically automated by Approved Scanning Vendors (ASVs), should be conducted quarterly and usually completes within a few hours.
  2. Complete SAQ D : Fill out the SAQ D and retain a copy for your records.
You are PCI compliant now!!
It’s essential to submit your network scan report and Self-Assessment Questionnaire (SAQ) to your payment processor or acquirer. Submission methods vary; some processors provide a dashboard for uploads, while others prefer email communication. Ensure you adhere to your processor’s specific requirements and submission schedule, typically on a quarterly basis.