The Payment Card Industry Data Security Standard’s (PCI DSS) self-assessment questionnaires (SAQ) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment and demonstrate compliance. Depending on the total annual volume of payment card transactions your business conducts, and how they are conducted (in-person or online), your organisation may have to complete an SAQ as part of your compliance reporting. This is an important opportunity to assess your current security posture and provides significant benefits even to those organisations that may not have to complete an SAQ.
As you already know, transaction volume and type are used to determine your organisation’s PCI Merchant Level. Of the four Merchant Levels recognised by the payment card brands, all but Level 1 merchants with the highest volume of transactions (exceeding 6 million transactions a year) are required to complete a SAQ as part of their Attestation of Compliance. Level 1 merchants are exempt from this process as they are required to work with a Qualified Security Assessor (QSA) to obtain a Report on Compliance (ROC). Businesses of every other Merchant Level must complete one of the nine different SAQs prepared by the PCI Security Standards Council (PCI SSC). This completed SAQ, along with a quarterly network scan by an Approved Scanning Vendor (ASV) and completed Attestation of Compliance form are the three procedures required to continue to accept payment card transactions.
Now, let’s take a deeper look at the Self-Assessment Questionnaires and the process that you might be working on to better prepare and understand both the procedure and its intent in safeguarding payment card transactions in your business.
PCI Merchant Levels and Compliance Requirements (Including SAQ)
We’ve gone into PCI Merchant Levels in some detail previously. To recap quickly, while each payment card brand differs slightly, at an extremely high level, the PCI DSS merchant levels are assigned as follows:
- Level 1 – Over 6 million payment transactions annually
- Level 2 – Between 1 and 6 million transactions annually
- Level 3 – Between 20,000 and 1 million transactions annually
- Level 4 – Less than 20,000 payment transactions annually
With each of these Merchant Levels, there are specific validation requirements to demonstrate compliance with the PCI DSS and other applicable PCI Standards. In addition to a completed Attestation of Compliance Form, validation requirements include the following for each assigned Merchant Level:
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scanning Vendor (ASV)
Levels 2 and 3
- Appropriate Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form
- Requirements are largely dependent on the merchant’s acquiring bank
- Typically, this would include an SAQ and Quarterly Network Scan by ASV
Depending on the Merchant Level, the technology used to conduct transactions and the type of payment card transactions conducted within your business (card present, card-not-present, online), you will be directed to one of the different SAQs. The SAQ uses a series of questions relevant to one of the 12 Requirements of the PCI DSS to ensure you are configured to accept payment card transactions according to “common-sense” security. Use this handy checklist to ensure you’re complying with the PCI DSS.
While we’ve come a long way from the days when there were only four different SAQs, further specification on how the transactions are conducted has made the SAQ process much more pertinent to your business. Once you have identified the correct SAQ for your business, of the nine currently available, all questions should largely be relevant to your operations. You no longer must answer a series of irrelevant questions that were contained in the more generic SAQs of yesteryear.
Minimise Scope, Minimise Your Number of SAQ Questions
In this process, the smaller the scope of your card data environment (CDE), the fewer the number of PCI Requirements you are beholden to, and the fewer SAQ questions to complete.
In fact, if you minimise your CDE (perhaps with a little help from our Cardprotect solution), you may have fewer than 30 total questions to answer. This is because in this set up, only PCI DSS Requirements 3, 9 and 12 are applicable to your scope.
However, if you haven’t minimised your scope to this degree, don’t fret. The SAQ process is designed to be uncomplicated and based on common sense security practices, just like the PCI DSS. The questions themselves can generally be answered by someone familiar with the IT and procedural policies of your operations, or even a small team aware of these. The more you descope your card data environment, the fewer questions you’ll have to answer. Depending on the amount of scope reduction, you will have to answer a number of questions pertaining to each of the 12 PCI DSS Requirements.
Examples from the SAQ-D include questions like:
- Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
- Is data storage amount and retention time limited to that required for legal, regulatory and/or business requirements?
- Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks sending cardholder data or connected to the cardholder data environment?
- Are the card verification code (three-digit or four-digit number printed on the front or back of a payment card), personal identification number (PIN), or the encrypted PIN block not stored after authorisation?
- Is anti-virus software deployed on all systems commonly affected by malicious software?
As with any aspect of your organisation’s PCI DSS compliance journey, there are great resources to help you secure your organisation to the best of your ability and to protect your business from the damaging effects of a data breach. Your acquiring bank should be a go-to resource, while the PCI SSC also posts a wide variety of guidance for businesses of every size and shape. Of course, feel free to reach out to us to discuss the compliance programme for your call or contact centre or how to effectively minimise the scope of your card data environment.