PCI-DSS SAQ D-Merchant v3.2.1 Assessment Template

This download includes the Self-Assessment Questionnaire D and Attestation of Compliance for Merchants (All other SAQ-Eligible Merchants) v3.2.1.

SAQ D for Merchants applies to SAQ-eligible merchants not meeting the criteria for any other SAQ type.

Examples of merchant environments that would use SAQ D may include but are not limited to:

• E-commerce merchants who accept cardholder data on their website
• Merchants with electronic storage of cardholder data
• Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
• Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment

While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements.

Completing the Self-Assessment Questionnaire:

For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.

A description of the meaning for each response is provided in the table below:

Yes: The expected testing has been performed, and all elements of the requirement have been met as stated.

Yes with CCW (Compensating Control Worksheet): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.

No: Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.

N/A (Not Applicable): The requirement does not apply to the organization’s environment. All responses in this column require a supporting explanation in Appendix C of the SAQ.

Not Tested: The requirement was not included for consideration in the assessment, and was not tested in any way. All responses in this column require a supporting explanation in Appendix D of the SAQ.