The PCI DSS Self-Assessment Questionnaire consists of 12 Requirements, each relating to a different aspect of payment card security. Each requirement consists of a number of sub-requirements or ‘controls’.
The controls for each requirement are listed under each tab in the navigation bar, and all questions are required to be answered.
For each requirement, you must assign one of the following statuses from the drop-down list provided:
In Place: Select this status if your environment satisfies the requirement. For example, if there are video cameras installed to protect sensitive areas (e.g. server room, a back office), then set the status for question 9.11(a) to In Place.
Not In Place: Select status if your environment does not meet the requirement. For example, if quarterly internal network scans are not (to the best of your knowledge) performed, then set the status for question 11.2.3(a) to Not in Place.
Not Applicable: Select to this status if you believe a particular requirement not apply to your environment. For example, if you do not employ wireless technology (this is highly unlikely) in any capacity, then set the status for question 11.1.1 to Not Applicable.
Compensating Control: The requirement is in place by means of a compensating control.
Not Tested: Select this status if the requirement has been excluded from evaluation. Note that Not Tested is not the same as Not Applicable. By assigning a Not Tested status, you are excluding the requirement without any consideration as to whether it applies to your environment or not (unlike Not Applicable). For example, if your organization introduces new technology that impacts on a subset of requirements, then a Not Tested status may be applied to the remaining requirements. Therefore, Not Tested should be applied in very specific cases only.
The SAQ screen allows you to quickly filter responses by status, i.e. in place, not in place, not applicable, compensating, not answered, not tested. Click on the grey tabs to apply these filters, below:
Completing the SAQ
To answer a requirement, select a status from the drop-down list, as shown below:
If you assign a NOT TESTED status to the requirement, you must state the reason(s) for doing so in the space provided:
If you assign an In Place status to a requirement, you can add a comment in the space provided and/or upload a document/s as evidence:
If you assign a Not In Place status to a requirement, you are required to state the reason/s why, and the date by which you expect the requirement to be in place (remediation date).
If you assign a Not Applicable status to a requirement , you must state the reason/s why in the space provided. You can also upload a document(s) as evidence.
If a requirement cannot be satisfied due to specific and legitimate issues, choose the Compensating option, detail the security measures your organization has in place to satisfy the requirement and complete the Compensating Controls Worksheet (blue button beneath the control, see below). You can upload a document(s) as evidence.
Uploading Documents
To upload documents, click the blue Manage Document button included with each requirement.
Click the Upload a New Document tab to upload the necessary evidence to demonstrate compliance or explain the status of the selected requirement:
The tab, Link an Existing Document, enables you to reuse a document previously attached to another requirement:
