• Home
  • PCI-DSS SAQ D-Merchant v4.0 Assessment Template
PCI-DSS SAQ D-Merchant v4.0 Assessment Template

PCI-DSS SAQ D-Merchant v4.0 Assessment Template

By : 6clicks
Self-Assessment Questionnaire (SAQ) D for Merchants applies to merchants that are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type. Examples of merchant environments to which SAQ D may apply include but are not limited to e-commerce merchants that accept cardholder data on their website, merchants with electronic storage of cardholder data and mmerchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type.
In stock

Details

Self-Assessment Questionnaire (SAQ) D for Merchants applies to merchants that are eligible to complete a self-assessment questionnaire but do not meet the criteria for any other SAQ type. Examples of merchant environments to which SAQ D may apply include but are not limited to:

  • E-commerce merchants that accept cardholder data on their website.

  • Merchants with electronic storage of cardholder data.

  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type.

  • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.

PCI-DSS Self-Assessment Completion Steps:

1.     Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website that this is the correct SAQ for the merchant’s environment.

2.     Confirm that the merchant environment is properly scoped.

3.     Assess environment for compliance with PCI DSS requirements.

4.     Complete all sections of this document:

  • Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) – Contact Information and Executive Summary).
  • Section 2: Self-Assessment Questionnaire D for Merchants.
  • Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC – PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).

5.     Submit the SAQ and AOC, along with any other requested documentation—such as ASV scan reports—to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).

Requirement Responses:

For each requirement item, there is a choice of responses to indicate the merchant’s status regarding that requirement. Only one response should be selected for each requirement item.

A description of the meaning for each response is provided in the table below:

Response

When to use this response:

In Place

The expected testing has been performed, and all elements of the requirement have been met as stated.

In Place with CCW

(Compensating Controls Worksheet)

The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.

All responses in this column require completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ.

Information on the use of compensating controls and guidance on how to complete the worksheet is provided in PCI DSS Appendices B and C.

In Place with Remediation

The requirement was Not in Place when the expected testing was initially performed, but the merchant addressed the situation and put processes in place to prevent re-occurrence prior to completion of the self-assessment. In all cases of In Place with Remediation, the merchant has identified and addressed the reason the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.

All responses in this column require a supporting explanation in Appendix C of this SAQ.

Not Applicable

The requirement does not apply to the merchant’s environment. (See “Guidance for Not Applicable Requirements” below for examples.)All responses in this column require a supporting explanation in Appendix D of this SAQ.

Not Tested

The requirement was not included for consideration in the assessment and was not tested in any way. (See “Understanding the Difference between Not Applicable and Not Tested” below for examples of when this option should be used.)

All responses in this column require a supporting explanation in Appendix E of this SAQ.

Not in Place

Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the merchant can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted.

This response is also used if a requirement cannot be met due to a legal restriction. (See “Legal Exception” below for more guidance).

Getting Started

Click "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.

Resources

Achieve PCI DSS compliance in 6 steps with 6clicks

More Information

More Information
Jurisdiction All
Type Laws or related obligations

Discover the latest GRC news, apps, and exclusive promotions with our e-newsletter.

Want to feature your app, content or services here?

Gain exposure and promote your brand in our 6clicks Marketplace


Marketplace

Vendors and Partners

What's on?

     Security  |  Privacy  |  Terms  |  All rights reserved © 6clicks