Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
ComplianceForge

PCI DSS v4.0 Policies, Standards & Procedures

Accepting payment cards spans industries, even businesses that would not necessarily consider themselves to be a "merchant" in terms of traditional brick & mortar retailers. However, any company that accepts payment via debit and/or credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). Some businesses choose to segment off the cardholder environment and manage it by its own unique policies and standards. Other businesses address PCI DSS requirements as part of its overall policies and standards. Either way works and ComplianceForge offers solutions for both approaches!

Key Takeaways - PCI DSS v4.0 Compliance Templates
  • PCI DSS v4.0 is the current version of the Payment Card Industry Data Security Standard, applicable to any organization that stores, processes, or transmits cardholder data.
  • Eight SAQ-specific documentation products aligned to the PCI SSC's Self-Assessment Questionnaire types. Each product is scoped precisely to its SAQ.
  • SAQs A and A-EP are for e-commerce merchants. SAQs B and B-IP are for merchants using imprint machines or stand-alone dial-out terminals. SAQs C and C-VT are for POS or virtual terminal environments. SAQ D covers full PCI DSS scope for merchants and service providers.
  • SAQ D (Merchant and Service Provider) products include the most comprehensive documentation, reflecting the full PCI DSS scope. These are the most commonly purchased products.
  • Every SAQ product is delivered as editable Microsoft Word and Excel documents with single-entity licensing.
Category Overview

What Self-Assessment Questionnaire (SAQ) Type Are You?

SAQs are requirements for smaller merchants and service providers that are not required to submit a Report on Compliance (ROC). It is designed as a self-validation tool to assess security for cardholder data that uses a series of yes-or-no questions for each applicable PCI DSS requirement.

There are different questionnaires available to meet different merchant environments. Merchants are required to identify the SAQ that best describes how it accept payment cards. Some organizations may even need to fill out different SAQs, based on different methods of accepting payment (e.g., SAQ A for its website and SAQ C for its "brick & mortar" store locations). If you are not sure which questionnaire applies to you, contact your merchant services provider for assistance or review the official PCI Security Standards Council's guidance on "assessing the security of your cardholder data" to help determine the appropriate SAQ type for your organization - SAQ Instructions and Guidelines.

ComplianceForge sells its PCI DSS Policies & Standards based on the SAQ type (shown below):

SAQ Type
Method of Accepting Payment Cards
E-Commerce
In-Person
A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third parties, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Not applicable to face-to-face channels.
Yes
No
A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels.
Yes
No
B
Merchants using only imprint machines with no electronic cardholder data storage, and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
No
Yes
B-IP
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
No
Yes
C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
No
Yes
C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
No
Yes
D (Merchant)
All merchants not included in descriptions for the above types.
Yes
Yes
D (Service Provider)
All service providers defined by a payment card brand as eligible to complete a SAQ.
N/A
N/A

You can click on the matrix below for a downloadable PDF that shows the PCI DSS v4 controls as they apply to the SAQ levels:

PCI DSS v4 mapping matrix example
ComplianceForge's Approach

Why SAQ-Specific Documentation Matters

Most PCI DSS documentation products on the market provide a single monolithic document covering the full DSS, which customers must trim down to match their actual SAQ scope. This approach has several problems: irrelevant controls remain in the documentation (which auditors may still test), scope becomes ambiguous (making audit response harder), and maintenance overhead increases (every framework update requires re-trimming).

ComplianceForge's SAQ-specific approach eliminates these problems. Each SAQ product is precisely scoped to its SAQ, so documentation matches exactly what the assessor will review. For many organizations, this reduces audit effort significantly while improving defensibility.

Current Version

Aligned With PCI DSS v4.0

All products in this category are aligned with PCI DSS v4.0, the current version of the standard. PCI DSS v4.0 replaced v3.2.1 and introduced significant changes including the customized approach, expanded service provider scope, updated authentication requirements, and more granular vulnerability management expectations.

Future quarterly updates (available via optional subscription) will reflect PCI DSS v4.0 errata and any future version transitions as the PCI SSC publishes them.

Available Products

Available PCI DSS SAQ Products

Eight SAQ-specific products. Select the one matching your assessment scope. If unsure which SAQ applies, consult your acquirer or QSA before purchase.

$ 1,155.00 USD
Policies & Standards - PCI DSS v4 SAQ A
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,155.00 USD
Policies & Standards - PCI DSS v4 SAQ A-EP
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,325.00 USD
Policies & Standards - PCI DSS v4 SAQ B
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,325.00 USD
Policies & Standards - PCI DSS v4 SAQ B-IP
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,625.00 USD
Policies & Standards - PCI DSS v4 SAQ C
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,625.00 USD
Policies & Standards - PCI DSS v4 SAQ C-VT
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,870.00 USD
Policies & Standards - PCI DSS v4 SAQ D (Merchant)
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
$ 1,870.00 USD
Policies & Standards - PCI DSS v4 SAQ D (Service Provider)
The Cybersecurity & Data Protection Program (CDPP) version for PCI DSS v4.0 contains necessary cybersecurity policies & standards in an editable Microsoft Word format.In addition to the PCI DSS Cybersecurity Policies & Standards, you get additional documentation that will help you implement it and ensure you stay compliant. It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft.
Contains:
Word
Excel
PowerPoint
PDF
Examples:
Word Example
Excel Example
Contact Us

Comprehensive Coverage

Give us a call or send us an email - we are happy to help you find the right solution for your needs!

There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.

It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:

  • Not be considered negligent with reasonable expectations for cybersecurity & data protection;
  • Comply with applicable laws, regulations and contractual obligations; and
  • Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.

This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.