An Excellent Balance to PCI DSS 4.0 Self-Assessment Questionnaires (SAQ)
The abbreviation for a Self-Assessment Questionnaire is SAQ. SAQ’S are available to eligible merchants and service providers however to be eligible you need to process below a certain number of card transactions per year. This questionnaire is a performance evaluation or review to assess the measures implemented by companies. The process of looking at your business in order to assess aspects that are important is called a self-assessment
A self-assessment usually includes self-verification and self-enhancement, in addition to the number of questions that vary by type between SAQ-A and SAQ-D.
As we start off exploring the SAQ’S for PCI DSS 4.0 (Payment Card Industry Data Security Standard) I should first explain what a SAQ (Self-Assessment Questionnaire) is, and what role this plays in the assessment.
So, what role does SAQ’s play in PCI?
In PCI, the SAQ show achievement of compliance as well as proof of maintaining compliance of the Payment Card Industry Data Security Standard. A series of questions that cover the card holder environment provide comprehensive insights showing gaps in the security posture. Completing SAQ’s on a regular basis help companies visualize the growth of the security environment and subsequent gaps can be responded to in a timely manner, keeping the company compliant.
Benefits of using multiple SAQ’s
When a company has two or more different and separate payment channels it could be beneficial to fill in multiple QSA’S. This means smaller question sets rather than one big SAQ. Compacter SAQ’S means a more manageable workload to prepare, less requirements to be compliant with, and less resources. Saving time is cost effective both on eternal resources and the outsourced resource or consultants’ hours for completing the SAQ. For many companies, being PCI compliant is not optional, so being able to save money and be compliant is a huge benefit. It makes sense to carefully look at the options rather than just picking SAQ-D.
Types of SAQ’s
There are nine different types of SAQ’S. The original SAQ A-D and the added categories EP, IP, VT, P2PE, and SPoC. SAQ A-EP stands for Electronic Payment, IP for Internet Protocol, VT is Virtual Terminal. P2PE (Point-to-Point Encryption) is an acronym that most of us are familiar with. That leaves us with SPoC that is abbreviated to Software-based PIN Entry on COTS (commercial off the shelf).
Some companies can have more than one SAQ. For example, this could happen when there are multiple payment environments, and they are separated and not in contact with each other. For example, if you have a phone order service that is in one segment (SAQ C-VT), and you have a front desk accepting Card Present transactions and this environment is in another segment (SAQ B) it could be beneficial to have two SAQ’s. You would still need to comply with the requirements for each SAQ separately. You have to connect with your processor/acquirer or your external PCI Consultant if you are unsure which SAQ you need to complete.
SAQ A-EP (Electronic payment)
As with SAQ A, SAQ A-EP is only for merchants that do Card-not-present transactions. The difference lies in that payments are partially outsourced. Payment/transactions that are outsourced should be to a PCI DSS validated and compliant third party. You should not electronically store, process, or transmit any account data. Merchants, however, can use a payment page that redirects the client to a third party for payment.
SAQ B
This questionnaire focusses only on merchants that process account data via imprint machines or standalone, dial-out terminals. An imprint machine is a device commonly known as a knuckle-buster or click-clack machine. It is a manual device that records credit card transactions using a carbon copy sales slip. These are not common anymore as they require raised numbers and letters on the physical card.
A standalone Dial-out terminal is a device that allow customers to pay using their payment card. These terminals use a phone line and are based on point-to-point communication. The terminals are incredibly popular among merchants because of the ease in set-up. To be eligible to use SAQ B, the Dial-out terminal within the merchant environment should not be in contact with other systems or the internet. In addition, merchants are also prohibited from storing electronic account data from these transactions.
SAQ B-IP (Internet Protocol)
For SAQ -IP the merchants are limited to PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor.
The PCI Standard Council have a standard especially for these devices. Transmission of account data flows from the approved PTS POI devices to the payment processor, no other storing, or processing is allowed. Merchants using SCRs Secure Card Readers or SCRPs Secure Card Readers for PIN do not fill in this questionnaire.
SAQ C-VT (Virtual Terminal)
When processing account data through a third-party virtual payment terminal on an isolated computing device connected to the Internet, merchants will complete an SAQ C-VT. Only merchants that manually enter a single transaction at a time using a keyboard and enter the information into an Internet-based virtual payment terminal solution can use the SAQ C-VT. This device should not have hardware attached and should be isolated.
SAQ P2PE (Point-to-Point Encryption)
Merchants that store, process, or transmit account data by using a validated PCI-listed Point-to-Point Encryption solution are eligible to use SAQ P2PE. E-commerce and Service provider sections cannot use this questionnaire. The merchant has to have all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider implemented.
SAQ SPoC (Software-based PIN Entry on COTS)
Merchants that use PCI-listed approved PTS Secure Card Reader-PIN (SCRP) devices and accompanying commercial off-the-shelf (COTS) mobile devices as part of a validated PCI listed Software-based PIN Entry on COTS (SPoC) solution will use this questionnaire. This questionnaire requires Card-present transactions as the only process that is allowed to store, process, or transmit data. Merchants that use non-POTS magnetic stripe readers cannot use this questionnaire either. Merchants should not have access to clear-text account data on any computer system and the payment channel should be segmented.
SAQ D for Merchants
Merchants that do not fall into any of the above SAQ categories will be eligible to use the SAQ D. An SAQ D is what you will use when you accept account data on your website, and electronically store this data. If you are a merchant and you store account data, but don’t qualify for any of the above mentioned SAQ’s then you are possibly a SAQ D too.
SAQ D for Service Providers
SAQ D for Service Providers is applicable to all Service Providers that are eligible to complete a SAQ. Contacting the card brand, you are affiliated with can help you find out whether you are eligible to complete an SAQ, as each card brand has their own requirements. Most card brands have the Service Providers divided into two or three levels. Only one level is allowed to do a SAQ.
Conclusion
PCI DSS is always present. As online stores keep on growing and expanding the security of payments needs to follow suit. Consumers are expecting Merchants and Service providers to keep their account information private. Being diligent in staying compliant is an advantage in the fight against bad actors. If you are just starting out, or maybe just became aware of the need to become compliant, you don’t need to navigate through the weeds alone. A qualified PCI Consultant can help.
