PCI-DSS SAQ D-SP v3.2.1 Assessment Template

This download includes the Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers. SAQ D for Service Providers applies to all service providers defined by a payment brand as being SAQ-eligible.

While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements donot apply.

Completing the Self-Assessment Questionnaire:

For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.

A description of the meaning for each response is provided below:

Yes: The expected testing has been performed, and all elements of the requirement have been met as stated.

Yes with CCW (Compensating Control Worksheet): The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.

No: Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.

N/A (Not Applicable): The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.

Not Tested: The requirement was not included for consideration in the assessment, and was not tested in any way. All responses in this column require a supporting explanation in Appendix D of the SAQ.