The Payment Card Industry Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) allows merchants, service providers and other businesses that deal with card or customer data to evaluate and consider each aspect of their company's security in terms of the PCI Compliance requirements. Companies that deal with cardholder data in any way, shape or form must be PCI compliant, therefore, the PCI DSS SAQ is an invaluable tool on how to become compliant.
In addition to making sure that a company has a firm grasp on its network and its various components, it also makes the company aware of the network's flaws, possible attack vectors and specific areas that they need to work on in order to make sure that their data is as secure as humanly possible. Furthermore, companies may be asked to present their SAQ to financial institutions (e.g acquiring banks) to prove their PCI compliance.
Previously on our Blog we have offered in depth breakdowns of what to expect from SAQ A, SAQ A-EP and SAQ B. As we continue our coverage of SAQ questionnaires, this latest article explains just what exactly PCI DSS Self-Assessment Questionnaire B-IP is and whether or not you should be taking i
Who should fill out the SAQ B-IP?
There are several different SAQ offered by the Payment Card Industry and it is extremely important that you take the right one as each one will include a different set of PCI DSS requirements. These requirements are different depending on the business: what that business offers, how that business offers it and the sort of devices, networks and processes that business uses to collect, transmit or store their data.
SAQ B and SAQ B-IP are quite similar in that they both affect businesses that only store paper reports/paper copies of receipts with cardholder data and use a standalone point-of-interaction (POI) terminal to process their transactions. These terminals are where your customers may use Chip & Pin, where they may swipe their card or where transactions are manually keyed in.
However, the fundamental difference between the standalone terminals mentioned in PCI DSS Self-Assessment Questionnaire B and those mentioned in PCI DSS Self-Assessment Questionnaire B-IP, is that Questionnaire B-IP covers terminals that are network based whereas SAQ B terminals only transmit data via dial-up.
The criteria for taking SAQ B-IP is as follows:
- Your company uses only standalone, approved PIN Transaction Security devices (PTS) or point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information;
- The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs);
- The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems);
- The only transmission of cardholder data is from the PTS-approved POI devices to the payment processor;
- The POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor;
- Your company retains only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically;
- Your company does not store cardholder data in electronic format.
Network-based terminals pose a significantly higher risk that ordinary dial-up terminals and so as PCI DSS Self-Assessment Questionnaire B-IP must protect the data when it is in transit on data networks, the questionnaire includes more question than SAQ B.
What sort of questions are in SAQ B-IP?
The questions in PCI DSS Self-Assessment Questionnaire B-IP are broken down into several requirements including the installation and maintenance of firewalls, encrypting the transmission of cardholder data across public networks, identifying and authenticating access to system components and regularly testing security systems and processes.
Although Questionnaire B-IP is jam packed with questions, many of these are yes or no and they also come with a list of actionable tasks that you can do if your security isn't up to scratch (e.g reviewing results of past vulnerability scans, interviewing responsible personnel, examining firewall and router configurations). The PCI also explains that if SAQ B-IP includes requirements that aren't applicable to your environment (e.g it mentions devices that your business doesn't use at all) then you should probably be taking a different SAQ instead.
Here are some examples of questions:
- Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
- Are unnecessary default accounts removed or disabled before installing a system on the network?
- The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?
- Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
- Are critical security patches installed within one month of release?
Get support from a PCI DSS expert.
You need PCI Compliance experts to aid your company in achieving compliance.
As a trusted advisor, our QSAs (Qualified Security Assessors) can support an organisation in understanding the requirements, verify eligibility and can help with the completion of any SAQ. We can guide your company on the path to compliance, supporting you every step of the way.
Achieve and maintain PCI DSS Compliance continually, keep your business safe and healthy by making sure that you retain your customer’s trust.