Category: Ecomerce

Ready-to-use evidence checklist tailored for SAQ‑A to attach with submission?

Having a ready‑to‑use evidence checklist will make your SAQ‑A submission clean and defensible if your acquirer or payment processor asks for supporting materials.

Below is a practical, SAQ‑A‑specific evidence checklist, tailored for merchants who fully outsource payment processing (e.g., redirect or hosted payment page).

✅ SAQ‑A Evidence Checklist

1. Scope & Environment Documentation

Evidence Type	Description	Example Artifacts
Payment Flow Diagram	A simple diagram showing where and how payments occur — your site redirects the customer to a PCI‑validated payment gateway, so your environment never sees card data.	PDF or image showing: User browser → Your web app → Redirect → Payment Gateway (PCI DSS provider)
System Inventory / Data Flow Summary	A one‑page document listing which servers, databases, and services are in scope and confirming that none store, process, or transmit card data.	Word or PDF summary table
Network Diagram (if applicable)	Optional for SAQ‑A, but useful to illustrate that the eCommerce server has no connectivity to cardholder systems.	Network map or Visio diagram

2. Third‑Party Compliance Documentation

Evidence Type	Description	Example Artifacts
Payment Processor’s PCI DSS Attestation of Compliance (AOC)	Proof that your gateway (e.g., Stripe, PayPal, Adyen) is PCI DSS validated.	Provider’s standard AOC PDF or certification letter
Hosting Provider’s Security Compliance (if applicable)	If you host your site in the cloud, supply AWS, Google Cloud, or hosting company’s PCI or ISO 27001 evidence.	Provider security whitepaper, SOC 2 or PCI AOC
Third‑Party Service Agreements	Show that your contracts require each provider to maintain PCI DSS compliance.	Contract clause or service agreement snippet

3. Operational & Policy Evidence

Evidence Type	Description	Example Artifacts
Information Security Policy	High‑level policy establishing roles, responsibilities, and PCI compliance commitment.	PDF policy signed by management
Password & Access Control Policy	Policies enforcing strong passwords, least‑privilege access, and MFA for admin systems.	Short document or admin‑user guide
Software Update / Patch Record	Record of how your site or CMS is updated securely.	Change logs, screenshots from update dashboard
Incident Response Procedure	A short plan explaining how you’d respond if your site is breached or defaced.	PDF or internal wiki extract
Employee Awareness Evidence	Record that staff handling the website know data‑handling practices (no card data).	Training slide, sign‑off list, or email log

4. Website Security Proof

Evidence Type	Description	Example Artifacts
HTTPS / TLS Certificate Evidence	Confirm your site forces HTTPS and has a valid TLS cert.	Screenshot of padlock or certificate details
Admin Access Controls	Demonstrate MFA or restricted login.	Screenshot from CMS admin configuration panel
Vulnerability Scan Results	Even if you outsource card data, some acquirers require quarterly external scans.	Scan report summary (e.g., “no high vulnerabilities”)
File/Config Review Proof	Screenshots or notes showing no cardholder data stored in web configs, logs, or DBs.	Screenshots of empty payment fields in admin backend

5. Attestation Support Files

Evidence Type	Description	Example Artifacts
Completed SAQ‑A Form	Filled out “Self‑Assessment Questionnaire A.”	PDF of the official form
Attestation of Compliance (AOC)	The final signature page confirming compliance.	Signed PDF
Contact Info Sheet	List of your merchant’s PCI contact persons.	Internal contact form

6. Maintenance & Annual Validation Records

Evidence Type	Description	Example Artifacts
Annual Review Checklist	Record showing you re‑assessed PCI scope annually.	Dated checklist or meeting minutes
Provider PCI Renewals	Updated AOCs each year from gateways and hosts.	New PDF certificates
Change Management Log	Record of website or system changes that could affect card handling.	Internal change-log excerpt

🗂️ How to Present It

Keep all evidence in a single folder (e.g., /PCI_2024/SAQ-A_Evidence/).
Organize subfolders: /Scope/, /3rdParty_AOCs/, /Policies/, /Screenshots/, /Scans/.
Include a README.txt summarizing what each file demonstrates.
Date all documents and screenshots.
Submit only the SAQ and Attestation to the acquirer unless they explicitly request supporting evidence — but keep your folder ready.

🧠 Quick Tips

Only include live, relevant evidence — don’t dump logs or sensitive system data.
Redact internal IPs or credentials in screenshots.
Review that nothing contradicts SAQ‑A eligibility (e.g., no internal card data processing).
Keep all docs digitally signed or on company letterhead for clarity.

This checklist, kept current, will get you through most PCI DSS SAQ‑A validations with minimal back‑and‑forth.

Here’s a ready‑to‑use folder template and example README you can drop into your compliance archive or share with your acquiring bank/processor if they request supporting materials. It’s designed specifically for PCI DSS SAQ‑A merchants (those fully outsourcing card processing).

📁 Folder Structure Template

PCI_DSS_SAQ-A_2024/
│
├── 00_README/
│   └── README_SAQ-A_COMPLIANCE.txt
│
├── 01_Scope_and_Network/
│   ├── Payment_Flow_Diagram.pdf
│   ├── Network_Topology.png
│   └── System_Inventory_Summary.pdf
│
├── 02_Third_Party_Compliance/
│   ├── Payment_Gateway_AOC_2024.pdf
│   ├── Hosting_Provider_Compliance_Certificate.pdf
│   ├── Cloud_Service_Provider_SOC2.pdf
│   └── ThirdParty_Contracts_PCI_Clauses.pdf
│
├── 03_Policies_and_Procedures/
│   ├── Information_Security_Policy.pdf
│   ├── Password_Access_Control_Policy.pdf
│   ├── Patch_Management_Procedure.pdf
│   ├── Incident_Response_Plan.pdf
│   └── Staff_Awareness_Training_Record.pdf
│
├── 04_Website_Security_Evidence/
│   ├── HTTPS_Certificate_Screenshot.png
│   ├── Web_Admin_MFA_Enabled.png
│   ├── External_Scan_Report_Summary.pdf
│   ├── No_Card_Data_Stored_Proof.png
│   └── CMS_Update_Log_2024.pdf
│
├── 05_Attestation_and_SAQ/
│   ├── SAQ-A_Completed_2024.pdf
│   ├── Attestation_of_Compliance_Signed.pdf
│   └── PCI_Contact_Info_Sheet.pdf
│
└── 06_Annual_Review_and_Change_Logs/
    ├── Annual_PCI_Review_Checklist_2024.pdf
    ├── Gateway_AOC_Updated_2025_Placeholder.txt
    └── Website_Change_Log_2024.xlsx

🧾 Notes on Organization

Clear folder names: Prefix each with a number so evidence stays in logical order.
Version/year suffixes: Add the year (_2024) to help auditing over time.
Readable filenames: Use plain English; avoid internal system paths.
Sensitive file handling: Redact passwords, keys, or IP addresses in screenshots or logs.

🧰 Sample README File

README_SAQ-A_COMPLIANCE.txt

=====================================================================
PCI DSS SAQ‑A Compliance Evidence Repository
Merchant: [Your Company Name]
Scope Year: 2024
Prepared by: [Your Name, Title]
Date Prepared: [YYYY‑MM‑DD]
=====================================================================

1. PURPOSE
-----------
This folder contains documentation and evidence supporting [Company Name]’s 
Self‑Assessment Questionnaire A (SAQ‑A) for PCI DSS compliance. 
Our environment does not store, process, or transmit cardholder data; 
all payment processing is outsourced to PCI DSS‑validated third parties.

2. STRUCTURE OVERVIEW
----------------------
01_Scope_and_Network/     
   → Contains diagrams and scope summaries proving no in‑scope card data.
02_Third_Party_Compliance/
   → Attestations of Compliance (AOCs) and security certifications 
     from our payment gateway and hosting provider.
03_Policies_and_Procedures/
   → Core security and access control policies, patching, and 
     incident response procedures.
04_Website_Security_Evidence/
   → Screenshots and scan results demonstrating we maintain a secure 
     eCommerce site that never handles card data.
05_Attestation_and_SAQ/
   → Completed SAQ‑A form, signed Attestation of Compliance (AOC), and 
     PCI contact list.
06_Annual_Review_and_Change_Logs/
   → Record of PCI reviews, updated provider attestations, and 
     system change tracking.

3. CONTACT DETAILS
-------------------
PCI Compliance Lead: [Name, Title, Email, Phone]
Alternate Contact:   [Name, Title, Email, Phone]
Acquirer / Processor: [Bank or Payment Processor Name]

4. REVISION HISTORY
--------------------
| Date       | Updated By | Summary of Changes             |
|-------------|------------|--------------------------------|
| YYYY‑MM‑DD | [Name]     | Initial creation of evidence set |
| YYYY‑MM‑DD | [Name]     | Updated provider AOC             |
| YYYY‑MM‑DD | [Name]     | Annual PCI review completed      |

=====================================================================
End of README
=====================================================================

✅ Tips for Use

Keep everything digital (PDF, PNG, DOCX → exported to PDF for integrity).
Update folder contents annually or any time your integration model changes.
Use a secure storage location (e.g., restricted cloud drive or encrypted archive).
When submitting, your acquirer usually wants only the SAQ and Attestation — keep the rest on hand in case of an audit.

This structure mirrors what assessors and acquirers expect when reviewing self‑attested compliance evidence.

October 8, 2025

What are the most common SAQ‑A mistakes newcomers make, and how can I avoid them in my submission?

This is where many first‑time PCI DSS filers stumble.

Even though SAQ‑A looks simple (just a few pages), it’s still a legal attestation of compliance, and a small mistake can cause delays, compliance holds, or even liability issues.

Here’s a breakdown of the most common SAQ‑A mistakes beginners make — and, more importantly, how to avoid them.

🧩 1. Using the wrong SAQ version

Mistake: Completing SAQ‑A when your setup doesn’t qualify — for example, when your website uses embedded payment fields or JavaScript libraries that interact with card data.

Why it’s a problem:
Your site is actually handling cardholder data indirectly, so you need SAQ‑A‑EP, which has stricter requirements. Filing the wrong SAQ form is considered non‑compliance.

How to avoid it:

Read the “Eligibility” criteria in the first pages of each SAQ (A vs. A‑EP vs. D).
Ask your payment gateway which SAQ applies to your integration type.
If your web server ever sees or modifies card data (even transiently), SAQ‑A is not appropriate.

🔌 2. Not verifying service provider PCI compliance

Mistake: Assuming your payment processor or hosting provider is compliant without proof.

Why it’s a problem:
PCI DSS requires you to verify and document that every service provider with access to cardholder data (including cloud hosting and outsourcing partners) is PCI DSS validated.

How to avoid it:

Ask for the provider’s Attestation of Compliance (AOC) or check Visa/Mastercard’s list of validated service providers.
Keep a copy with your SAQ evidence package.
Re‑verify annually — their certificate has an expiration date.

📁 3. Leaving documentation gaps

Mistake: Submitting only the SAQ form without backing policies or evidence.

Why it’s a problem:
Your acquirer might ask to see proof that you operate securely — patch management logs, access control, website architecture, etc.

How to avoid it:
Prepare a small “PCI evidence folder” including:

Payment flow diagram showing where card data is handled externally.
Proof of third‑party compliance (AOCs, contracts).
Internal security policies (passwords, updates, incident response).
Screenshots/logs showing no card data stored in your systems.

🧠 4. Marking “N/A” too liberally

Mistake: Using “Not Applicable” to skip requirements that do apply slightly (e.g., password controls for admin portals).

Why it’s a problem:
SAQ‑A only allows “N/A” for controls that are truly out of scope, meaning the entire requirement cannot apply. An acquirer may reject your submission for misuse of N/A.

How to avoid it:

Only use “N/A” if the PCI DSS form explicitly allows it for SAQ‑A merchants.
When unsure, answer “Yes” and maintain evidence supporting the control.

🔐 5. Forgetting about your own website security

Mistake: Thinking that outsourcing payments means you can ignore website security altogether.

Why it’s a problem:
Attackers compromise merchant websites to redirect payment pages or inject malicious scripts. Even though you don’t store card data, your site could still be the weak link.

How to avoid it:

Keep your CMS and plugins patched.
Use HTTPS everywhere.
Restrict admin access with strong passwords and MFA.
Regularly scan for vulnerabilities (many acquirers require quarterly external scans).

🧾 6. Treating SAQ‑A as a one‑time task

Mistake: Filing once and forgetting about it for years.

Why it’s a problem:
PCI DSS compliance is ongoing. You must re‑validate annually and keep controls in place all year.

How to avoid it:

Establish a recurring “PCI compliance review” every 12 months.
Monitor for changes in your payment setup — new integrations can change SAQ type.

🧰 7. Misunderstanding “no card data stored”

Mistake: Keeping order data with partial card info (like first six/last four) without verifying that storage is PCI‑compliant.

Why it’s a problem:
Even partial card data is regulated if combined with other sensitive fields.

How to avoid it:

Ensure your eCommerce platform only stores non‑sensitive tokens or payment references.
Validate that no logs, backups, or analytics capture card numbers accidentally.

✅ Summary — Avoiding SAQ‑A Pitfalls

#	Common Mistake	Prevention
1	Wrong SAQ type	Confirm integration model with your processor
2	Unverified third‑party compliance	Collect providers’ AOCs
3	Missing evidence	Keep documentation folder ready
4	Misusing “N/A”	Follow PCI guidance strictly
5	Neglecting website security	Maintain patching, MFA, HTTPS
6	One‑time filing	Re‑validate annually
7	Residual card data	Audit logs and databases for sensitive info

By treating the SAQ‑A as a mini‑audit rather than a checkbox exercise, you’ll not only pass compliance smoothly but also strengthen your overall website security posture.

October 8, 2025

How can I prepare Self‑Assessment Questionnaire (SAQ‑A)?

Preparing a PCI DSS Self‑Assessment Questionnaire (SAQ‑A) is straightforward once you understand what it covers and gather the right information. SAQ‑A is the simplest version of the PCI DSS self‑assessment, intended for merchants who fully outsource cardholder data processing (for example, by using a hosted payment page or redirect where no card data passes through your servers).

Here’s a practical step‑by‑step guide:

1. Confirm that SAQ‑A is the right form

You can complete SAQ‑A only if:

All payment processing (authorization, storage, transmission of card data) is handled entirely by a PCI DSS‑validated third party (e.g., Stripe Checkout, PayPal Standard, Adyen Hosted Payment Page, etc.).
Your website does not capture, process, or store card data — even temporarily.
Your eCommerce site simply redirects customers or loads a secure iFrame from the payment provider.
You do not store any cardholder data on your systems (in databases, logs, or caches).

If your integration involves embedded scripts that interact with payment fields (e.g., Stripe Elements), your SAQ type might be SAQ‑A‑EP instead.

2. Obtain the official SAQ‑A template and instructions

You can download the latest SAQ forms from the official PCI Security Standards Council website:
👉 https://www.pcisecuritystandards.org

Look for:
“Self‑Assessment Questionnaire A and Attestation of Compliance.”

It includes:

The Questionnaire (SAQ‑A) — a checklist of requirements.
The Attestation of Compliance (AOC) — a summary and signature page you submit to your acquiring bank or payment processor.

3. Review what the SAQ‑A covers

SAQ‑A includes only a subset of the full PCI DSS requirements, roughly:

Installation and maintenance of secure systems
Use of secure passwords and configurations
Keeping your website free of cardholder data
Ensuring your service providers are PCI DSS validated
Maintaining proper information security policies

The current SAQ‑A has about 22 yes/no questions (out of the 300+ in the full PCI DSS).

4. Gather evidence and documentation

Before filling it out, prepare evidence that supports each “yes” answer. Examples include:

List of all third-party payment service providers and proof of their PCI DSS compliance (e.g., certificates, AOCs).
Network diagrams or architecture outlines showing that your environment doesn’t handle card data.
Policies and procedures for website maintenance, password management, and security patching.
Screenshots or records proving no card data is stored on your servers or databases.

5. Complete the questionnaire

Answer “Yes” for each requirement that you fully meet.
Use “N/A” only if the requirement doesn’t apply (valid only for SAQ‑A‑scoped systems).
Use “No” if a requirement isn’t met, and document a remediation plan.

6. Sign the Attestation of Compliance

The AOC page must be signed by a responsible party — often your business owner or IT/security manager. This confirms that:

You understand which systems are in scope.
You rely only on compliant service providers.
You maintain security policies and practices.

Submit the AOC (and SAQ‑A) to your acquiring bank or payment processor as they require.

7. Maintain and repeat annually

PCI DSS is an annual obligation. Also:

Re‑assess whenever you change your payment integration.
Keep SAQ‑A and supporting evidence on file.
Monitor that your payment providers remain PCI DSS validated each year.

Summary Checklist

Step	Task	Description
1	Confirm eligibility	Ensure no card data passes through your systems
2	Download forms	Get official SAQ‑A & AOC from PCI SSC website
3	Review controls	Read each requirement, verify practices
4	Gather evidence	Payment provider certificates, policies, safety proofs
5	Complete SAQ‑A	Answer all questions truthfully
6	Sign & submit	Send the signed AOC to your acquiring bank
7	Repeat annually	Re‑validate and update as needed

If you’re unsure, many payment providers (Stripe, Braintree, Adyen, etc.) publish merchant guidance for PCI SAQ‑A, with template wording and evidence examples to simplify your compliance filing.

October 8, 2025