Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
As previously discussed, the Self-Assessment Questionnaire is a validation tool which can assist Merchants and Service Providers while self-evaluating their PCI Compliance with the Payment Card Industry Data Security Standard (PCI DSS).There are a total of eight different questionnaires (A, A-EP, B, B-IP, C-VT, C, D, PEP2HW) which merchants and service providers can use to demonstrate that they are either compliant with, or working towards, compliance.
Let's take a look at the Questionnaire type A to understand what to expect and who is entitled to complete it.
Choosing the correct questionnaire is vital as an incorrect submission could leave your organisation vulnerable to a greater risk of payment card breach in addition to invalidating your compliance which, in turn, could lead to Card Scheme fines and reputation damage in the event of a data compromise.
Today we look at the questionnaire A and ask who can and cannot use it and why.
For those organisations that are required to be PCI DSS compliant, the questionnaire A is by far the simplest to contend with. Additionally, it is also the smallest form of SAQ, designed for environments in which the risk of payment card data exposure is extremely small.
The questionnaire A is intended for merchants who have completely outsourced all CardHolder Data processing functions. For these Merchants all payment acceptance and processing is entirely outsourced to a validated third-party provider which, in most cases, is a payment gateway that facilitates communication with your acquiring bank or is your acquiring bank itself.
In such a scenario you never really interact directly with CardHolder Data in electronic form, be it a text file on your workstation, an excel file, an email, a database or any other software; you simply do not see your client’s data at all unless it is on paper reports or paper receipts that you do not receive electronically.
It is important to note that you can only be considered to be a so called card-not-present merchant if you never see a client’s physical card and you only accept payments over the telephone or via traditional mail (this does not include email), or via an e-commerce website.
In such a situation you are only entitled to the questionnaire A if your e-commerce website does not receive customers data AND it does not control how consumers, or their data, are redirected to a validated third-party payment processor. This entitlement has been given greater clarity in the "Understanding the SAQs for PCI DSS v3.0" document released by the Payment Card Industry Security Standards Council which we highly suggest reading if you are still unsure).
The guidelines clearly say that you are on the questionnaire A only if one of the following scenarios applies:
The above mentioned guidelines also state that “If any element of a payment page delivered to consumers’ browsers originates from the merchant’s website questionnaire A does NOT apply; however the self-assessment questionnaire A-EP may be applicable” and it goes on to state two scenarios in which you will not be eligible for questionnaire A:
Of all the Self-Assessment questionnaires, the type A asks the fewest questions - just 14 in fact - which are based around just two of the twelve requirements of the full Payment Card Industry Data Security Standard. Find the official questionnaire A here.
The first 9 questions cover the physical security of any paper receipt containing customers data that you might have in your organisation and how to keep them safe during their whole life-cycle from receipt to destruction. The good news is that those are not applicable if you don’t have hard-copies of your client’s data.
The remaining 5 questions concern your service providers’ compliance with Payment Card Industry Data Security Standard. As previously mentioned, your organisation will only be eligible for questionnaire A if your service providers are themselves PCI DSS validated. The previous 5 questions are therefore in place to ensure your diligence in choosing your third party provider.
Advantio is a PCI QSA and PA QSA. As a trusted advisor we can assist with the following:
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA