SAQ A merchant manual
Section 1 – Departmental Merchant Agreement
Section 2 – Annual PCI Self-Assessment Questionnaire
Section 3 – Cardholder Data Flow Diagram
Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment
Section 5 – Third-Party Service Providers Documentation
Section 6 - PAN Scan Results
Section 7 – Training log
SAQ A Merchant Manual Yearly Upkeep Steps
- Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
- Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
- Complete and sign the SAQ A annually.
- Make sure 3rd party documentation is updated annually.
- Make sure to have a new PAN scan performed annually.
- Enroll staff, complete the annual online security training, and update your training log.
SAQ B merchant manual
Section 1 – Departmental Merchant Agreement
Section 2 – Annual PCI Self-Assessment Questionnaire
Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)
Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment
Section 5 – Third-Party Service Providers Documentation
Section 6 – PAN Scan Results
Section 7 – Terminal Security Section
Capture Device Periodic Inspection Procedures
Capture Device Periodic Inspection Log
Section 8 – Training log
SAQ B Merchant Manual Yearly Upkeep Steps
- Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
- Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
- Complete and sign the SAQ B annually.
- Make sure your 3rd party documentation is updated annually.
- Make sure to have a new PAN scan performed annually.
- Enroll staff, complete the annual online security training, and update your training log.
- Perform your periodic physical inspections of your terminal(s).
SAQ C-VT merchant manual
Section 1 – Departmental Merchant Agreement
Section 2 – Annual PCI Self-Assessment Questionnaire
Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)
Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment
Section 5 – Third-Party Service Providers Documentation
Section 6 – PAN Scan Results
Section 7 – Training log
Section 8 - Configuration Guide for in scope systems (Firewall, Workstations, Etc.)
Section 9 - Firewall Rules with business justification for all allowances
Section 10 - Network Diagram
Section 11 - Connectivity Diagram
SAQ C-VT Merchant Manual Yearly Upkeep Steps
- Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
- Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
- Complete and sign the SAQ C-VT annually.
- Make sure your 3rd party documentation is updated annually.
- Make sure to have a new PAN scan performed annually.
- Enroll staff, complete the annual online security training, and update your training log.
- Review your configuration guide annually.
- Review your firewall rules every 6 months.
- Review your network and configuration diagrams annually.
- Make sure your Anti-Virus is current and performing scans.
- Make sure Anti-Virus audit logs are retained for at least 1 year with the last 3 months readily available.
- Make sure all critical patches are applied to in scope systems within 30 days of release.
P2PE merchant manual
Section 1 – Departmental Merchant Agreement
Section 2 – Annual PCI Self-Assessment Questionnaire
Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)
Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment
Section 5 – Third-Party Service Providers Documentation
Section 6 – PAN Scan Results
Section 7 – Terminal Security Section
Capture Device Periodic Inspection Procedures
Capture Device Periodic Inspection Log
Section 9 – Training log
Section 10 - PIM (P2PE Installation Manual)
SAQ P2PE Merchant Manual Yearly Upkeep Steps
- Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
- Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
- Complete and sign the SAQ P2PE annually.
- Make sure your 3rd party documentation is updated annually.
- Make sure to have a new PAN scan performed annually.
- Enroll staff, complete the annual online security training, and update your training log.
- Perform your periodic physical inspections of your terminal(s).
- Review your PIM (P2PE Installation Manual) annually to ensure it is up to date.
Reviewed 2022-08-18