Preparing a PCI DSS Self‑Assessment Questionnaire (SAQ‑A) is straightforward once you understand what it covers and gather the right information. SAQ‑A is the simplest version of the PCI DSS self‑assessment, intended for merchants who fully outsource cardholder data processing (for example, by using a hosted payment page or redirect where no card data passes through your servers).

Here’s a practical step‑by‑step guide:

1. Confirm that SAQ‑A is the right form

You can complete SAQ‑A only if:

• All payment processing (authorization, storage, transmission of card data) is handled entirely by a PCI DSS‑validated third party (e.g., Stripe Checkout, PayPal Standard, Adyen Hosted Payment Page, etc.).
• Your website does not capture, process, or store card data — even temporarily.
• Your eCommerce site simply redirects customers or loads a secure iFrame from the payment provider.
• You do not store any cardholder data on your systems (in databases, logs, or caches).

If your integration involves embedded scripts that interact with payment fields (e.g., Stripe Elements), your SAQ type might be SAQ‑A‑EP instead.

2. Obtain the official SAQ‑A template and instructions

You can download the latest SAQ forms from the official PCI Security Standards Council website:
👉 https://www.pcisecuritystandards.org

Look for:
“Self‑Assessment Questionnaire A and Attestation of Compliance.”

It includes:

• The Questionnaire (SAQ‑A) — a checklist of requirements.
• The Attestation of Compliance (AOC) — a summary and signature page you submit to your acquiring bank or payment processor.

3. Review what the SAQ‑A covers

SAQ‑A includes only a subset of the full PCI DSS requirements, roughly:

• Installation and maintenance of secure systems
• Use of secure passwords and configurations
• Keeping your website free of cardholder data
• Ensuring your service providers are PCI DSS validated
• Maintaining proper information security policies

The current SAQ‑A has about 22 yes/no questions (out of the 300+ in the full PCI DSS).

4. Gather evidence and documentation

Before filling it out, prepare evidence that supports each “yes” answer. Examples include:

• List of all third-party payment service providers and proof of their PCI DSS compliance (e.g., certificates, AOCs).
• Network diagrams or architecture outlines showing that your environment doesn’t handle card data.
• Policies and procedures for website maintenance, password management, and security patching.
• Screenshots or records proving no card data is stored on your servers or databases.

5. Complete the questionnaire

• Answer “Yes” for each requirement that you fully meet.
• Use “N/A” only if the requirement doesn’t apply (valid only for SAQ‑A‑scoped systems).
• Use “No” if a requirement isn’t met, and document a remediation plan.

6. Sign the Attestation of Compliance

The AOC page must be signed by a responsible party — often your business owner or IT/security manager. This confirms that:

• You understand which systems are in scope.
• You rely only on compliant service providers.
• You maintain security policies and practices.

Submit the AOC (and SAQ‑A) to your acquiring bank or payment processor as they require.

7. Maintain and repeat annually

PCI DSS is an annual obligation. Also:

• Re‑assess whenever you change your payment integration.
• Keep SAQ‑A and supporting evidence on file.
• Monitor that your payment providers remain PCI DSS validated each year.

Summary Checklist

If you’re unsure, many payment providers (Stripe, Braintree, Adyen, etc.) publish merchant guidance for PCI SAQ‑A, with template wording and evidence examples to simplify your compliance filing.