PCI-DSS SAQ-A v3.2.1 Assessment Template

This download includes the Self-Assessment Questionnaire A and Attestation of Compliance for Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced v3.2.1.

SAQ A has been developed to address requirements applicable to merchants whose cardholder data functions are completely outsourced to validated third parties, where the merchant retains only paper reports or receipts with cardholder data.

SAQ A merchants may be either e-commerce or mail/telephone-order merchants (card-not-present), and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.

SAQ A merchants confirm that, for this payment channel:

• Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
• All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers;
• Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;
• Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.

Additionally, for e-commerce channels:

• All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).

Completing the Self-Assessment Questionnaire:

For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.

A description of the meaning for each response is provided below:

Yes: The expected testing has been performed, and all elements of the requirement have been met as stated

Yes with CCW (Compensating Control Worksheet): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.

No: Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place

N/A (Not Applicable): The requirement does not apply to the organization’s environment. All responses in this column require a supporting explanation in Appendix C of the SAQ.