# Completing the SAQ

{% hint style="warning" %}
There are multiple [variants of SAQs](https://listings.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.

Examples of merchant environments that would use SAQ D includes but not limited to:

* **E-commerce merchants** who **accept cardholder data** on their website.
* Merchants with **electronic storage of cardholder data.**
* Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type.
  {% endhint %}

The [Official SAQ D](https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf) has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories.

<table><thead><tr><th>Type of Activity</th><th width="348.3333333333333">Description</th></tr></thead><tbody><tr><td>Organizational and People activities</td><td>Establish organizational policies and conduct staff training.</td></tr><tr><td>Infrastructure activities</td><td>Implement security measures in your cloud environment handling card data.</td></tr><tr><td>Access controls</td><td>Restrict infrastructure access to essential personnel.</td></tr></tbody></table>

{% hint style="info" %}
For further assistance, please contact us at <hyperswitch@juspay.in>
{% endhint %}

**Final Steps**

1. **Network Scan**: Select a PCI-approved scanning vendor from the official [list](https://listings.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors) and obtain a network scan report. This process, typically automated by Approved Scanning Vendors (ASVs), should be conducted quarterly and usually completes within a few hours.
2. **Complete SAQ D**: Fill out the SAQ D and retain a copy for your records.

{% hint style="success" %}
You are PCI compliant now!!
{% endhint %}

It's essential to submit your network scan report and Self-Assessment Questionnaire (SAQ) to your payment processor or acquirer.

**Submission methods vary;** some processors provide a dashboard for uploads, while others prefer email communication. Ensure you adhere to your processor's specific requirements and submission schedule, typically on a quarterly basis.