PCI-DSS SAQ D-SP v4.0 Assessment Template
Details
Self-Assessment Questionnaire (SAQ) D for Service Providers applies to all service providers defined by a payment brand as being eligible to complete a self-assessment questionnaire.
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE).
PCI-DSS Self-Assessment Completion Steps:
1. Per the eligibility criteria in this SAQ and as spelled out in the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website, this SAQ is the ONLY SAQ OPTION for service providers.
2. Confirm that the service provider environment is properly scoped.
3. Assess environment for compliance with PCI DSS requirements.
4. Complete all sections of this document:
- Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) – Contact Information and Executive Summary).
- Section 2a – Details about Reviewed Environment.
- Section 2b – Self-Assessment Questionnaire D for Service Providers.
- Section 3: Validation and Attestation details (Parts 3 & 4 of the AOC – PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
5. Submit the SAQ and AOC, along with any other requested documentation—such as ASV scan reports—to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Requirement Responses:
For each requirement item, there is a choice of responses to indicate the entity’s status regarding that requirement. Only one response should be selected for each requirement item.
A description of the meaning for each response and how to report the testing performed is provided in the table below:
|
Response |
When to use this response: |
Service Provider Required Reporting |
|
In Place |
The expected testing has been performed, and all elements of the requirement have been met as stated. |
Briefly describe how the testing and evidence demonstrates the requirement is In Place. |
|
In Place with CCW (Compensating Controls Worksheet) |
The expected testing has been performed, and the requirement has been met with the assistance of a compensating control. |
Briefly describe which aspect(s) of the requirement where a compensating control(s) was used. All responses in this column require also completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ. Information on the use of compensating controls and guidance on how to complete the CCW is provided in PCI DSS Appendices B and C. |
|
In Place with Remediation |
The requirement was Not in Place when the expected testing was initially performed, but the entity addressed the situation and put processes in place to prevent re-occurrence prior to completion of the self-assessment. In all cases of In Place with Remediation, the entity has identified and addressed the reason the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure. |
Briefly describe what was initially Not in Place and how the testing and evidence demonstrates the requirement is now In Place. All responses in this column also require a supporting explanation in Appendix C of this SAQ. |
|
Not Applicable |
The requirement does not apply to the entity’s environment. (See “Guidance for Not Applicable Requirements” below for examples.) All responses in this column require a supporting explanation in Appendix D of this SAQ. |
Briefly describe the results of testing performed that demonstrate the requirement is Not Applicable. All responses in this column also require a supporting explanation in Appendix D of this SAQ. |
|
Not Tested |
The requirement was not included for consideration in the assessment and was not tested in any way. (See “Understanding the Difference between Not Applicable and Not Tested” below for examples of when this option should be used.) |
Briefly describe why this requirement was excluded from the assessment. All responses in this column also require a supporting explanation in Appendix E of this SAQ. |
|
Not in Place |
Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the entity can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted. This response is also used if a requirement cannot be met due to a legal restriction. (See “Legal Exception” below for more guidance). |
Briefly describe how the testing and evidence demonstrates the requirement is Not in Place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted. If the requirement is not in place due to a legal restriction, describe the statutory law or regulation that prohibits the requirement from being met and complete the relevant attestation in Part 3 of this SAQ. |
Getting Started
Click "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.Resources
More Information
| Jurisdiction | All |
|---|---|
| Type | Laws or related obligations |