PCI Compliance Forms - Self Assessment Questionnaire

Jeff Hebrink -

This is a good article from our Universal Payment Gateway partner Shift4 to help answer some FAQs related to the self assessment forms your merchant service providers ask you to fill out:

Link to Article


Making Heads or Tails of Your PCI Compliance Forms

thumbWe've seen a pattern of confusion from merchants who are attempting to complete their PCI compliance forms. Shift4 has provided some frequently asked questions (along with our answers) to help clear things up

Your merchant services provider (MSP) may have asked you to complete a do-it-yourself PCI compliance form. The purpose of their forms is to assist you in completing a PCI compliance self-assessment questionnaire (SAQ). Some MSPs will create a designated Web portal to assist you in completing the SAQ, while others opt to simply send the physical forms directly to their merchants for them to complete. These forms will lead you through a series of questions that serve to identify your PCI scope and qualify the status of your PCI compliance.
Not All Compliance Forms Are Created Equal
Depending on the degree of instruction from your MSP, these Web portals and compliance forms are not always as easy to understand as they should be. They sometimes oversimplify the SAQ process, which ends up causing more confusion than clarity. It’s also not always explained where merchants should turn with questions that they have when completing the compliance forms.
With that in mind, we've put together a list of common questions and/or roadblocks that our merchant customers have experienced while completing their SAQ.

Q: Who should I go to first with questions about my compliance form?
A: If you are struggling to complete your PCI compliance forms and need assistance, we recommend that you start by reaching out to your MSP. They will be able to answer the majority of your questions regarding the forms, or they will refer you to a PCI-certified Qualified Security Assessor (QSA) that can assist you further. 

Q: Why can't Shift4 help me complete the compliance form?
A: Shift4 does play a role in your PCI compliance efforts, but we are only one piece of your PCI puzzle. Because of that, we are not able to evaluate your entire environment, which is what a QSA company is qualified to do. 

Q: What questions can Shift4 answer regarding my compliance form?
A: Typically, there are sections of these forms where you will need to provide information about your service provider and payment applications. This is where Shift4 is able to help you. You should still start by contacting your MSP, but you may need to reach out to Shift4 for additional information. 

Q: Who should I list as my service provider?
A: You should list “Shift4 Corporation, Las Vegas” as well as any other service providers that you have.DOLLARS ON THE NET® should not be listed here because it is a software-as-a-service (SaaS) solution, not a service provider. 

Q: What should I list as my PA-DSS application?
A: This description will vary depending on the DOLLARS ON THE NET payment gateway services you’re using. You should always keep a complete list of PCI-compliant payment applications that are installed and running within your payment environment. On your compliance forms, Shift4’s Universal Transaction Gateway®(UTG®) should be listed, as well as any other PCI-validated solutions that you are using. Again, do not list DOLLARS ON THE NET as the payment application, as it is a SaaS solution. You can refer to our Security Corner if you have any questions about the certifications of our payment solutions. Contact Shift4 if you are uncertain which of our solutions you are currently using. 

Q: Why is Shift4's P2PE solution not listed as a validated solution on the PCI's website?
A: Shift4’s point-to-point encryption solution, True P2PE™, meets, and in most cases exceeds, the standards set by the PCI. However, it is not currently PCI-validated. This is because True P2PE was developed before the Payment Card Industry Security Standards Council (PCI SSC) released their standards for P2PE solutions, which then isolated solutions that didn’t fit their new standards. 

Q: What do I put down if I am asked about network scans?
A: If there are questions related to network scans, you may need to work with a QSA to define your PCI DSS scope. Do not include DOLLARS ON THE NET because Shift4 performs its own internal and external ASV network scans.
If you have any questions about Shift4’s products or services and how they improve your security, please call our Customer Support team at 702.597.2480 (option 2) or email support@shift4.com.
Have more questions? Submit a request


Please sign in to leave a comment.