Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Companies that deal with cardholder data must be compliant with the the Payment Card Industry Data Security Standard (PCI DSS) and fill out the right Self-Assessment Questionnaire (PCI DSS SAQ). Filling out a SAQ is one of the ways Merchants can prove their compliance to their Acquiring Banks and, consequently, to the five founders of the PCI SSC (American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.).
These questionnaires allow you to self-evaluate your company's security status and it also gives you a chance to really dig into and think about your company's security practices (as well as what needs to be done to improve them).
As explained here, it's incredibly important that you fill out the correct questionnaire for your business as failing to be compliant can result in fines or, even worse, breaches where malicious attackers are able to gain access to the cardholder data that you store, process or transmit.
So, below is a helpful set of information allowing you to figure out if PCI DSS SAQ C is the right one for you.
Self-Assessment Questionnaire C is a 140 questions long paper, so make sure it’s the right one for you before filling one out. You probably don't want to spend time answering all of those questions only to realise that you've filled out the incorrect one.
First and foremost, you should ask yourself whether or not you store any card data in electronic form (this may even include recorded phone calls with cardholder data) because if you do, that means that you are not eligible for this particular SAQ. If you do store card data electronically then you should look at SAQ D instead.
Additionally, SAQ C can only be completed if your company deals with cardholder data via mail or telephone orders (card not present) or if it has point-of-sale terminals (card present), if your business is in ecommerce then you are ineligible to take the questionnaire.
Here is the full list of criteria for taking SAQ C:
It's also important to note that the PCI council notes that "this shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria".
Unfortunately the PCI DSS doesn't offer any guidelines on what a "small" merchant is but a good example is a small shop with just one or two point of sale terminals. If you aren't a small merchant that can answer 'yes' to all of the things on that SAQ C criteria list, this SAQ may not be for you.
While it may seem daunting and impossible to answer each of the 140 questions present in this questionnaire, they are at least made easier to get through as each of the questions has its own section, corresponding with all 12 of the PCI DSS' requirements (e.g maintaining a policy that addresses information security for all personnel, developing and maintaining secure systems and applications, and regularly testing security systems and processes).
Also aiding questionnaire takers somewhat is that the questions only have four responses: "Yes", "Yes with CCW" (Compensating Control Worksheet), "No", or "N/A". And on top of this, each question comes with a list of 'expected testing'; actionable things you can do (e.g review policies, interview personnel, and observe processes) making it easy enough to remedy any issues.
Here are some examples of questions:
As you can see, a lot of thought and time needs to go into filling an SAQ out and becoming PCI compliant, but working with a QSA (Qualified Security Assessor) like Advantio's team can help to ease the burden. Our trusted advisors can guide you and your company on the path to PCI compliance, making it a smooth and easy process.
PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).
Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.