SAQ D — Comprehensive

SAQ D is the catch-all. If you store, process, or transmit cardholder data in a way that doesn't fit A, A-EP, B, B-IP, C-VT, C, or P2PE — you're on D. The scope is your full Cardholder Data Environment plus everything connected to it.

Agents typing card numbers into a CRM during a phone call brings the entire call recording, the agent's PC, the network, and often most of the office into PCI scope. A descope solution like Paytia removes the cardholder data from the agent and the call recording entirely — typically reducing SAQ D scope to SAQ A.

If your office WiFi can reach the systems handling card data, you have a problem. Either segment WiFi off entirely or treat it as in-scope (you don't want the latter).

Default deny. Each allow rule needs a documented business justification and an owner.

Card-data databases are not directly accessible from the internet. Web servers in DMZ talk to DB in internal zone via tightly restricted rules.

Default passwords, default community strings, default service accounts — change all before deploying.

One hardening standard per OS / service type, based on a recognised baseline (CIS, NIST). Every new system built to that standard.

Don't run the database, web server, and mail server on the same host. Either separate hosts or strong virtualisation isolation.

Full magstripe, CVV, PIN — never stored, even encrypted. The moment after authorisation, it's gone.

Show first 6 + last 4 at most, by default. Full PAN visible only to those with a documented business need.

Strong encryption with proper key management, or one-way hashing, or truncation, or tokenisation. Don't roll your own crypto.

Keys are stored in HSMs or equivalently protected. Key custodians have signed responsibility statements.

TLS 1.2 or above. Disable weak ciphers. Annual SSL Labs scan should be A or A+.

Endpoint protection on workstations and servers. Updates automatic. Logs sent to central monitoring.

Critical patches go on within a month. Tracked in a ticketing system with deployment dates.

Developers trained in secure coding (OWASP Top 10 minimum). Code reviews check for the common stuff. SAST/DAST tooling helps but isn't sufficient alone.

Either a WAF in front of every public-facing web app, or every code change reviewed by qualified personnel.

Default deny. Access granted by job role. Reviewed at least every 6 months.

MFA for every admin login. MFA for every remote access into the network. Push notifications or hardware tokens, not SMS.

Every person has their own login. No 'admin' account that three people use.

Server rooms locked. Access logged. Visitors escorted.

Logins, admin actions, access to cardholder data, changes to user accounts, system clock changes, log access, all critical errors.

FIM on system binaries, configuration files, and audit logs themselves. Alerts on unauthorised change.

Either a SIEM with alerting or a person who genuinely reviews the daily summary. Document who did the review and what they found.

Three months immediately available, the rest in colder storage.

Approved Scanning Vendor scans every quarter and after significant change. Address findings.

Internal scans by qualified personnel. Same cadence as external.

Full pen test once a year and after significant change. Methodology documented. Findings tracked to closure.

Detect unauthorised modification of system files, config files, content files. Alert on change. Investigate.

Comprehensive policy covering all 12 PCI requirements. Reviewed annually. Distributed to staff.

Policies for laptops, tablets, removable media, internet, email — covering authorised use, owners, accepted use, network locations.

Training at hire and annually. Multiple methods (email, posters, training modules). Sign-off after each training.

List all third parties with access to cardholder data. Written agreements. Annual AOC review. Document who's responsible for what (you vs them).

Documented, tested annually, includes notification of card brands and acquirer, roles assigned, communication procedures.