🗒️Completing the SAQ

Simplifying Self-Assessment Questionnaire

There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.

Examples of merchant environments that would use SAQ D includes but not limited to:

  • E-commerce merchants who accept cardholder data on their website.

  • Merchants with electronic storage of cardholder data

  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type

The Official SAQ D has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories.

Type of ActivityDescription

Organizational and People activities

A set of organization policies, trainings to be underwent by people in the organization

Infrastructure activities

Ensuring security components in your cloud environment which accept and/or stores card data

Access controls

Limiting infrastructure access to critical stakeholders

Simplifying the activities

Are you worried, this is a lot of work?

You don't have to. We have simplified the recipe to help you get this done faster

  1. Project tracker: A spreadsheet which can be handy to project manage and get above activities completed.

  2. Documentation templates: Easy to reuse templates for the Documentation and Process

  3. Scripts: Automation scripts which can help you close most of the Infrastructure activities in few minutes.

Reachout to us on biz@hyperswitch.io to access more information. You may also book a call with hyperswitch team to understand more about the process.

Final steps

Choose an PCI approved Scanning Vendor from this list and get a network scan report. This exercise will have to be done quarterly. This takes less than few hours to complete, because most ASVs have automated tools to run the scan,

Complete the SAQ D report and retain a copy of it for future reference.

You are PCI compliant now!!

You can now upload the Network scan report and the SAQ on your payment processor/ acquirer dashboard. However, most acquirers insist on sharing the compliance reports through email, hence you might have to do that on a quarterly basis.

Last updated