Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The Payment Card Industry Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) allows merchants, service providers and other businesses that deal with card or customer data to evaluate and consider each aspect of their company's security in terms of the PCI Compliance requirements. Companies that deal with cardholder data in any way, shape or form must be PCI compliant, therefore, the PCI DSS SAQ is an invaluable tool on how to become compliant.
In addition to making sure that a company has a firm grasp on its network and its various components, it also makes the company aware of the network's flaws, possible attack vectors and specific areas that they need to work on in order to make sure that their data is as secure as humanly possible. Furthermore, companies may be asked to present their SAQ to financial institutions (e.g acquiring banks) to prove their PCI compliance.
Previously on our Blog we have offered in depth breakdowns of what to expect from SAQ A, SAQ A-EP and SAQ B. As we continue our coverage of SAQ questionnaires, this latest article explains just what exactly PCI DSS Self-Assessment Questionnaire B-IP is and whether or not you should be taking it.
There are several different SAQ offered by the Payment Card Industry and it is extremely important that you take the right one as each one will include a different set of PCI DSS requirements. These requirements are different depending on the business: what that business offers, how that business offers it and the sort of devices, networks and processes that business uses to collect, transmit or store their data.
SAQ B and SAQ B-IP are quite similar in that they both affect businesses that only store paper reports/paper copies of receipts with cardholder data and use a standalone point-of-interaction (POI) terminal to process their transactions. These terminals are where your customers may use Chip & Pin, where they may swipe their card or where transactions are manually keyed in.
However, the fundamental difference between the standalone terminals mentioned in PCI DSS Self-Assessment Questionnaire B and those mentioned in PCI DSS Self-Assessment Questionnaire B-IP, is that Questionnaire B-IP covers terminals that are network based whereas SAQ B terminals only transmit data via dial-up.
The criteria for taking SAQ B-IP is as follows:
Network-based terminals pose a significantly higher risk that ordinary dial-up terminals and so as PCI DSS Self-Assessment Questionnaire B-IP must protect the data when it is in transit on data networks, the questionnaire includes more question than SAQ B.
The questions in PCI DSS Self-Assessment Questionnaire B-IP are broken down into several requirements including the installation and maintenance of firewalls, encrypting the transmission of cardholder data across public networks, identifying and authenticating access to system components and regularly testing security systems and processes.
Although Questionnaire B-IP is jam packed with questions, many of these are yes or no and they also come with a list of actionable tasks that you can do if your security isn't up to scratch (e.g reviewing results of past vulnerability scans, interviewing responsible personnel, examining firewall and router configurations). The PCI also explains that if SAQ B-IP includes requirements that aren't applicable to your environment (e.g it mentions devices that your business doesn't use at all) then you should probably be taking a different SAQ instead.
Here are some examples of questions:
You need PCI Compliance experts to aid your company in achieving compliance.
As a trusted advisor, our QSAs (Qualified Security Assessors) can support an organisation in understanding the requirements, verify eligibility and can help with the completion of any SAQ. We can guide your company on the path to compliance, supporting you every step of the way.
Achieve and maintain PCI DSS Compliance continually, keep your business safe and healthy by making sure that you retain your customer’s trust.
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA