The PCI Toolkit® enables you to proceed at your own pace through the PCI audit questionnaire and provides an intuitive step by step instruction process, and on average will assist you with completing the SAQ in less than 15 minutes. Merchants with more complex hardware and/or an online system can expect to complete the questionnaire in as little as 30 minutes. The PCI Toolkit® documents your compliance progress and stores your businessresults for future reference.
- Identify your General Business Processes (Validation Type) as defined by PCI DSS – see below. This is used to determine which Self- Assessment Questionnaire is appropriate for your business.
|SAQ Validation Type||Description||SAQ|
|1||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|2||Imprint-only merchants with no cardholder data storage||B|
|3||Stand-alone dial-up terminal merchants, no cardholder data storage||B|
|4||Merchants with payment application systems connected to the Internet, no cardholder data storage||C|
|5||All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete a SAQ.||D|
- Allow the Toolkit to guide you through completing the Self-Assessment Questionnaire.
- For type 4 & 5 merchants, complete and obtain evidence of a passing vulnerability scan with a PCI Security Standard Council Approved Scanning Vendor (ASV). This is required for merchants with external facing IP addresses. Simply put, if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
- Complete the certification of compliance forms (Attestation of Compliance) on the website.
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
- The system will then prompt you to complete any required scanning or tasks before issuing a Certificate of Completion.