
PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?
Read articleIf your business needs to become PCI compliant, you may be wondering what the process looks like and how to prepare.
This article explains what first-timers need to know about achieving PCI compliance. Find out how to determine the compliance level you need, the requirements you must satisfy, and how much time and money to budget.
The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect credit, debit, and cash card data against theft and fraud. It applies to any organization that processes, stores, or transmits payment card information. It also applies to any organization that can impact the security of payment card transactions, such as third-party service providers.
The PCI DSS was created in 2004 by card brands American Express, Discover, JCB International, Mastercard, and Visa Inc. to help businesses protect cardholder data and build trust with customers.
The PCI DSS includes security best practices like using encryption for stored cardholder data, network firewalls, and anti-virus software. The framework currently consists of 6 prime objectives, 12 requirements, and approximately 300+ controls. The PCI Security Standards Council (PCI SSC) is in the final stages of developing version 4.0, which is expected in Q1 2022.
Understand the requirements, process, and costs of getting PCI certified.
Download ebookNon-compliance with PCI DSS comes with some serious consequences. Aside from a security breach, your company could suffer monthly fines from payment processors up to $100k. Not to mention the loss of reputation and revenue.
There are two types of organizations categorized within PCI DSS: merchants and service providers.
There are multiple levels of PCI DSS compliance based on the number of credit, debit, and cash card transactions processed annually or your responsibility to meet requirements from your customers or acquiring banks.
PCI DSS outlines 12 requirements for handling cardholder data and maintaining a secure network, organized into 6 objectives. Organizations must meet all of these requirements to achieve compliance.
PCI DSS requires organizations to their network and change default system settings and passwords. Examples of network security controls include:
Default user accounts and passwords for network devices, systems, and payment card infrastructure are easy to find, so it’s also required to review and change these default settings.
Safeguarding cardholder data is the primary purpose of PCI DSS. Organizations must protect cardholder data whether it’s stored locally, on the cloud, or transmitted over the internet.
Cardholder data should not be stored unless it is a business need. If primary account numbers (PANs) are stored, they must be rendered unreadable.
Payment card data must be secured with strong cryptography whenever it’s transmitted over an open or public network. Unprotected PANs should never be sent by end-user messaging technologies.
Vulnerability management programs monitor the cardholder data environment to uncover weaknesses. This process includes using anti-virus software on all systems affected by malware.
Security vulnerabilities in production applications should also be continuously monitored. The software development cycle should include change control procedures and cybersecurity measures.
Cardholder data should only be accessed by authorized personnel. Systems and business processes must be put in place to ensure access is on a need-to-know basis.
Physical access to cardholder and customer data must also be restricted on a need-to-know basis.
In the event of a data or security breach, audit logs are critical for determining what went wrong. PCI DSS requires organizations to be able to track activity within the cardholder data environment.
Systems and applications should also be tested frequently to ensure the environment is secure.
Strong security policies and procedures are the foundation of a robust security posture.
PCI DSS has different levels of compliance depending on a few factors:
The first step on the road to certification is determining which level of compliance you need.
The entity that requires your PCI compliance (customers, acquiring bank, credit card companies) will usually specify in their request that you perform either a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ).
If you don’t receive a specific request, you can use these questions to determine your level of compliance.
First: are you a merchant or a service provider?
Next, how many transactions do you process annually?
PCI-RoC applies to Merchant Level 1 and Service Provider Level 1 organizations. If you don’t fall into these categories, you’ll need to complete an SAQ.
The SAQ has two parts:
The three main types of SAQs are:
SAQ A
SAQ A is for any e-commerce organization where payment cards are not present during the transaction. All cardholder data functions are outsourced to a third-party service provider. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises.
SAQ A-EP
SAQ A-EP is also for e-commerce merchants who outsource all payment processing to PCI DSS-compliant third parties. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. However, A-EP organizations do have websites that can impact the security of the payment transaction.
SAQ D
All merchants who don’t fit into one of the categories above will need an SAQ D. All service providers who are eligible to complete an SAQ will also need an SAQ D.
PCI SAQs: Which Self-Assessment Questionnaire Is Right for Your Business?
Read articleTo prepare for an assessment, you'll need to make sure policies and procedures are in place and will be followed during the audit period. You'll also need to complete an ASV scan and/or penetration test.
At this point, most organizations opt to complete a readiness assessment with a Qualified Security Assessor (QSV). This PCI DSS expert will determine if your scope, controls, and processes are ready for audit.
If you are a Level 1 Merchant or Service Provider, you’re required to complete an annual Report on Compliance (RoC). This is an external audit performed by a QSA.
They will review your policies, processes, controls, and evidence to decide if you meet PCI DSS requirements.
If you do not need a Report on Compliance (RoC), you’ll complete an SAQ. This document states each requirement for PCI and helps you to determine your level of compliance. It covers each requirement, the expected testing, and asks if the control is:
Both the RoC and AoC are valid for one year. To maintain certification, you’ll need to complete an SAQ or RoC annually. Here are some other periodic tasks you’ll need to plan on throughout the year to maintain your PCI certification:
When it comes to protecting customer data and credit card information from data breaches, PCI DSS is the foremost security standard. Achieving certification protects both your customers and your business from evolving threats. But with such rigorous standards, the process of achieving certification can be stressful and intimidating.
Our compliance automation platform simplifies the PCI compliance process from start to finish. With Secureframe, you can build PCI-compliant policies from our library of templates, train your employees, automate evidence collection, and continuously monitor your PCI controls. Request a demo to learn more.