PCI DSS – Frequently Asked Questions

So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do you turn?

You’re in luck. Did you know the Payment Card Industry Security Standards Council (PCI SSC) has a rich assortment of frequently asked questions (FAQ)? Easily found at https://www.pcisecuritystandards.org/faqs, you can perform a keyword search or you can select from categories, like: “SELF ASSESSMENT QUESTIONNAIRE (SAQ)”. The FAQs are arranged by article number, which are what we in the QSA community use when referencing the FAQ in text. The FAQs are the culmination of 14 years of questions out of the PCI Data Security Standard (DSS) ecosystem. Useful information right at your fingertips.

There are quick links to “Newly Added,” “Most Popular,” and “Most Recently Updated” so you can keep up with changes to the website. These are helpful to get you started. You can also set up an RSS feed and get notified when changes are made to the site. There is a “Contact Us” link on the main page that allows submitting a question to the PCI SSC.

A few examples that you might search:

Qualified Security Assessors (QSAs) use the FAQ for the same reasons as merchants do – We keep up with the FAQs as a means to address questions that arise in the assessment process. They are that universal and will be helpful as you negotiate all things PCI.


SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.

CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.


Drew Cathey has been a member of the SecureTrust team for five years and has been in IT for 35 years.

Written by Drew Cathey

Drew Cathey has been a member of the SecureTrust team for five years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.