ποΈCompleting the SAQ
Simplifying Self-Assessment Questionnaire
There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.
Examples of merchant environments that would use SAQ D includes but not limited to:
E-commerce merchants who accept cardholder data on their website.
Merchants with electronic storage of cardholder data
Merchants that donβt store cardholder data electronically but that do not meet the criteria of another SAQ type
The Official SAQ D has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories.
| Type of Activity | Description |
|---|---|
Organizational and People activities | A set of organization policies, trainings to be underwent by people in the organization |
Infrastructure activities | Ensuring security components in your cloud environment which accept and/or stores card data |
Access controls | Limiting infrastructure access to critical stakeholders |
Simplifying the activities
Are you worried, this is a lot of work?
You don't have to. We have simplified the recipe to help you get this done faster
Project tracker: A spreadsheet which can be handy to project manage and get above activities completed.
Documentation templates: Easy to reuse templates for the
Documentation and ProcessScripts: Automation scripts which can help you close most of the Infrastructure activities in few minutes.
Reachout to us on biz@hyperswitch.io to access more information. You may also book a call with hyperswitch team to understand more about the process.
Final steps
Choose an PCI approved Scanning Vendor from this list and get a network scan report. This exercise will have to be done quarterly. This takes less than few hours to complete, because most ASVs have automated tools to run the scan,
Complete the SAQ D report and retain a copy of it for future reference.
You are PCI compliant now!!
You can now upload the Network scan report and the SAQ on your payment processor/ acquirer dashboard. However, most acquirers insist on sharing the compliance reports through email, hence you might have to do that on a quarterly basis.
Last updated