When it comes to compliance with the Payment Card Industry Data Security Standard (PCI DSS), filling in the right self-assessment questionnaire(s) (SAQs) is the task that gives managers most headaches. With this in mind, I spoke to Alastair Stewart, PCI Consultant at IT Governance, who lifted the curtain surrounding the SAQs and provided some useful guidance to cope with the challenge.
A: Self-assessment questionnaires are compliance validation documents provided by the PCI Security Standards Council (SSC) to allow merchants and service providers to attest to compliance with the PCI DSS.
Under the PCI DSS there are two ways an organisation can become compliant with the Standard: the first is to have an audit performed by an external Qualified Security Assessor (QSA), which is only required for organisations whose acquiring bank deems them to be the highest risk (also known as level 1 merchants or service providers). The second option, which is for all other organisations, is to self-assess as being compliant with the Standard. To do this, the organisation fills out the correct SAQ(s) and submits it to their acquiring bank.
Q: What are the main changes to the SAQs in v3.0 of the PCI DSS?
A: The first major change is that the PCI SSC added three new SAQs in v3.0 of the PCI DSS to allow them to better reflect the different merchant and service provider payment models that have evolved since v2.0 of the Standard. These new SAQs were created to make the questionnaires more flexible and easier to understand.
The second major change is in the wording of the eligibility criteria of each of the SAQs. These eligibility criteria are the requirements that the organisation must meet in order to qualify to complete the respective SAQ. Under v2.0 of the Standard, the criteria all started with a phrase such as “Your company handles only card-not-present transactions” or “Your company’s only payment processing is done via a virtual terminal”. This meant that if you used multiple methods of taking payments you could only fill out SAQ D, which is the full 289-question SAQ. Under v2.0 of the PCI DSS each organisation could only fill out one SAQ, which in most cases ended up being SAQ D. Many organisations disliked the amount of work involved in becoming compliant.
In the PCI DSS v3.0 SAQs they have added the phrase “merchants confirm that, for this payment channel:” before each of the eligibility criteria. This means that any organisation can fill out multiple SAQs, just making sure that each of their different payment methods (or channels) fit the criteria for one of the SAQs and then completing them. This means that it can be much easier to complete the questionnaires by dividing up the payment channels and concentrating on one at a time.
Q: Do I have to meet all of the PCI DSS validation requirements?
A: Each SAQ has a different sub-set of the PCI DSS requirements that are relevant to the payment channel in question, and all questions on each SAQ must be answered. It is possible to mark requirements as ‘Not Applicable’ (not all can be marked N/A; there are a few that are always applicable, please seek further guidance on this) providing the organisation can justify the non-applicability. It is also possible to use what is called a ‘compensating control’ where an organisation is unable to meet the requirement for business, legal or contractual reasons, but this must be fully justified and documented within the SAQ.
Q: How many different types of SAQ are there?
A: There are currently nine different SAQs, and selecting the correct one is important, as filling out the wrong SAQ(s) will invalidate your compliance.
Q: How do I select the SAQ relevant to my organisation?
A: Selecting the correct SAQ(s) can be a complex task as many have several eligibility criteria, all of which must be met. Determining if the criteria have been met will require some technical knowledge of your organisation’s IT in relation to your payment methods. While it is possible to determine which SAQ fits your payment channels on your own, we strongly advise seeking expert help in conjunction with your IT team’s input to ensure selection of the correct SAQ(s).
Q: Where can I get help to complete the SAQ?
A: It’s worth mentioning that the PCI SSC encourages organisations to seek professional guidance in achieving compliance and completing the self-assessment questionnaire. Merchants and service providers must be aware that only vendors included on the Council’s list of Qualified Security Assessors (QSAs) are trained by the PCI SSC to provide assessments against the PCI DSS. IT Governance, for example, is an approved PCI QSA company and is listed on the PCI SSC website.
We also offer a one-day PCI DSS v3 SAQ Workshop, which is designed to provide delegates with the practical knowledge required to complete the new PCI DSS v3 self-assessment questionnaires and ensure full compliance to the PCI DSS v3 in 2015.
My advice would be that professionals who are responsible for ensuring that their organisation maintains full compliance to the PCI DSS standard, attend the PCI DSS v3 SAQ Workshop to familiarise themselves with the SAQ process. They can then make an informed decision as to whether they are in a position to go through the compliance process on their own, or would like to seek further help in the form of remote or on-site PCI consultancy support, which IT Governance can also provide.