Skip to main content

Overview

The Payment Card Industry Data Security Standard (PCI DSS) requires all organizations that store, process, or transmit cardholder data to validate their compliance annually. The Self-Assessment Questionnaire (SAQ) is the most common validation method for merchants processing fewer than 6 million transactions per year. This guide walks you through determining which SAQ applies to your Yuno integration, completing it section by section, and maintaining ongoing compliance. For an overview of PCI DSS and how Yuno reduces your compliance scope, see PCI Compliance.

PCI DSS: Why It Matters

PCI DSS protects cardholder data throughout the payment lifecycle. Non-compliance exposes your business to:
RiskImpact
Data breach liabilityFinancial responsibility for compromised card data, including forensic investigation costs (50,00050,000-500,000+)
Card network fines5,0005,000-100,000 per month of non-compliance
Increased processing feesAcquirers may impose higher rates on non-compliant merchants
Account terminationLoss of ability to accept card payments
Reputational damageCustomer trust erosion after a breach
Yuno is PCI DSS Level 1 certified, the highest level of certification. By using Yuno’s SDK or tokenization, you inherit Yuno’s compliance controls and significantly reduce your own PCI scope.

SAQ Types: Which Applies to You

Your SAQ type depends on how your integration handles cardholder data.
SAQ TypeIntegration MethodCard Data on Your ServersQuestionsComplexity
SAQ AYuno Checkout SDK (Full or Lite), iframe-basedNever~22Simplest
SAQ A-EPSecure Fields, tokenized Direct API, redirectNever (but your site controls the payment page)~139Moderate
SAQ DDirect API with raw PAN handlingYes~300+Most comprehensive

How to Determine Your SAQ Type

1

Identify your integration method

Check your implementation: do you use Yuno’s Checkout SDK, Secure Fields, or Direct API?
2

Determine if card data touches your servers

If you use the SDK or Secure Fields, card data is captured by Yuno’s iframe and your servers never see raw PANs. If you send raw card numbers via the Direct API, your servers handle cardholder data.
3

Confirm with your acquirer

Your acquiring bank has the final say on which SAQ type you must complete. Share your integration architecture with them for confirmation.
If any part of your payment page (including the page hosting Yuno’s iframe) is served from your domain, you likely qualify for SAQ A-EP rather than SAQ A. SAQ A applies only when the entire payment experience is hosted by the payment provider. Confirm with your acquirer.

Using Yuno’s Attestation of Compliance

Yuno’s PCI DSS Level 1 Attestation of Compliance (AOC) documents Yuno’s compliance status and can be referenced in your own SAQ to demonstrate that your payment processing partner meets PCI requirements.

How to Obtain Yuno’s AOC

  1. Navigate to Dashboard > Settings > Compliance or contact your Yuno account manager.
  2. Download the current AOC (updated annually after Yuno’s QSA audit).
  3. Reference the AOC in your SAQ where asked about third-party service providers.

What Yuno’s AOC Covers

ScopeCovered by Yuno’s AOC
Cardholder data storage and encryptionYes
Tokenization infrastructureYes
Payment processing servers and networkYes
3DS authentication infrastructureYes
SDK and hosted payment form securityYes
Your application serversNo (your responsibility)
Your network infrastructureNo (your responsibility)
Your employee access controlsNo (your responsibility)

SAQ A Completion Checklist

SAQ A is the simplest questionnaire, applicable when all cardholder data functions are fully outsourced to Yuno via the Checkout SDK. Below is a section-by-section guide.

Section 1: Install and Maintain Network Security Controls

RequirementWhat It MeansYour Action
1.1Processes for network security controls are defined and knownDocument your firewall rules and review process
1.2Network security controls are configured and maintainedEnsure firewalls restrict traffic to necessary ports and protocols
For SAQ A merchants: Your network security scope is limited to the systems that host the page containing Yuno’s payment iframe.
Even with SAQ A, you must ensure the page hosting Yuno’s SDK is served over HTTPS (TLS 1.2+) and that your web server’s firewall configuration is documented and reviewed periodically.

Section 2: Apply Secure Configurations to All System Components

RequirementWhat It MeansYour Action
2.1Vendor-supplied defaults are changedChange all default passwords on servers hosting payment pages
2.2System components are configured securelyHarden web servers: disable unnecessary services, apply secure headers
Key actions:
  • Remove or disable default accounts on your web server
  • Apply security headers: Content-Security-Policy, X-Frame-Options, Strict-Transport-Security
  • Document your server hardening configuration

Section 6: Develop and Maintain Secure Systems and Software

RequirementWhat It MeansYour Action
6.1Identify and manage security vulnerabilitiesMaintain an inventory of software components and monitor for vulnerabilities
6.2Develop software securelyFollow secure coding practices for your application
6.3Protect against web application attacksDeploy a WAF or conduct regular vulnerability assessments
6.4Manage changes to system componentsUse a formal change control process for production changes
Key actions:
  • Keep web server software, frameworks, and libraries updated with security patches
  • Conduct vulnerability scans on your web-facing assets quarterly
  • Ensure the page hosting Yuno’s SDK does not include third-party scripts that could intercept card data
Third-party JavaScript on your payment page is a significant risk vector. Scripts from analytics, advertising, or other providers could be compromised to skim card data entered into payment forms, even those rendered in iframes. Audit all scripts on pages that include Yuno’s SDK.

Section 9: Restrict Physical Access to Cardholder Data

RequirementWhat It MeansYour Action
9.1Physical access to systems is restrictedRestrict access to servers and networking equipment
For SAQ A merchants: If your servers are cloud-hosted (AWS, GCP, Azure), your cloud provider handles physical security. Reference their compliance certifications (SOC 2, PCI DSS) in your documentation.

Section 12: Support Information Security with Organizational Policies

RequirementWhat It MeansYour Action
12.1Information security policy is established and maintainedCreate and maintain a written security policy
12.8Third-party service providers are managedMaintain a list of service providers (including Yuno) with their compliance status
12.10Security incidents are detected and responded toImplement an incident response plan (see Incident Response)
Key actions:
  • Maintain a written information security policy reviewed annually
  • Keep a registry of all third-party service providers that access or could impact cardholder data
  • Retain Yuno’s AOC as evidence of your payment provider’s compliance
  • Establish and test an incident response plan at least annually

Common Compliance Gaps and How to Fix Them

GapRiskFix
No documented security policyFails Section 12.1Create a written policy covering data security, access control, and incident response. Template-based policies are acceptable if customized to your environment.
Default credentials on serversFails Section 2.1Audit all systems for default passwords and replace them. Use a password manager for secure credential storage.
Unpatched web serverFails Section 6.1Implement automated patch management. Apply critical security patches within 30 days of release.
Third-party scripts on payment pageFails Section 6.3Audit scripts on pages containing Yuno’s SDK. Remove unnecessary scripts. Implement Subresource Integrity (SRI) for required scripts.
No vulnerability scanningFails Section 6.2Engage an Approved Scanning Vendor (ASV) for quarterly external scans. Use internal scanning tools for ongoing monitoring.
No service provider inventoryFails Section 12.8Create a spreadsheet listing all service providers, their compliance certifications, and annual review dates. Include Yuno with their AOC.
No incident response planFails Section 12.10Develop an incident response plan following the structure in the Incident Response Playbook. Test annually.

Ongoing Monitoring Requirements

PCI compliance is not a one-time event. Maintain these ongoing activities:
ActivityFrequencyOwnerEvidence
Vulnerability scans (external)QuarterlySecurity / ASV vendorASV scan reports (passing)
Vulnerability scans (internal)QuarterlyEngineeringInternal scan reports
Security policy reviewAnnuallySecurity / ManagementDated, signed policy document
Service provider reviewAnnuallySecurityUpdated provider inventory with current AOCs
Penetration testingAnnually (SAQ A-EP, SAQ D)Security / Third-party firmPenetration test report
Security awareness trainingAnnuallyHR / SecurityTraining completion records
Access reviewQuarterlySecurity / ManagementAccess review documentation
Log reviewDaily (SAQ D), Weekly (SAQ A-EP)Security / EngineeringLog review records
SAQ A merchants have the lightest ongoing requirements (quarterly ASV scans, annual policy review, annual SAQ re-submission). SAQ A-EP and SAQ D merchants have progressively more rigorous requirements. Plan your resources accordingly.

Annual Re-Certification Process

1

Schedule your assessment (60 days before expiration)

Begin your annual SAQ completion at least 60 days before your current certification expires. Your acquirer sets the annual deadline.
2

Gather documentation

Collect all required evidence: ASV scan reports, security policies, service provider AOCs (including Yuno’s current AOC), training records, and access review logs.
3

Complete the SAQ

Answer each question based on your current environment. For any question answered “No” or “N/A,” provide an explanation or compensating control.
4

Remediate gaps

Address any compliance gaps identified during the self-assessment before submitting. Document all remediation actions.
5

Sign and submit

An authorized officer must sign the Attestation of Compliance. Submit the completed SAQ and AOC to your acquiring bank.

Documentation to Maintain

Keep these documents current and accessible for audits:
DocumentUpdate FrequencyRetention
Completed SAQ and AOCAnnuallyCurrent + 3 prior years
Information security policyAnnually (or on change)Current + 3 prior years
Network diagramOn changeCurrent + 1 prior version
Service provider inventoryAnnuallyCurrent year
Yuno AOCAnnually (when renewed)Current year
ASV scan reportsQuarterly12 months minimum
Vulnerability remediation recordsAs needed12 months minimum
Incident response planAnnually (or after incident)Current + 1 prior version
Training recordsAnnually3 years
Change management logsOngoing12 months minimum

Best Practices

  • Start with the simplest SAQ: Use Yuno’s Checkout SDK to qualify for SAQ A and minimize your compliance burden. Only use Direct API with raw PANs if your business requires it.
  • Automate vulnerability scanning: Set up automated quarterly scans with an ASV to avoid missed deadlines.
  • Keep your Yuno AOC current: Request an updated AOC after Yuno completes their annual QSA audit. An expired AOC is a compliance gap.
  • Minimize your payment page: Remove all unnecessary JavaScript from pages that host Yuno’s SDK. Every additional script increases risk and may affect your SAQ eligibility.
  • Document as you go: Maintaining compliance documentation throughout the year is far easier than reconstructing it at re-certification time.
  • Engage your acquirer early: If you are unsure which SAQ applies to your integration, ask your acquiring bank before beginning the assessment. Completing the wrong SAQ wastes time and may not satisfy your compliance obligation.