A closer look to PCI DSS Self-Assessment Questionnaire A

As previously discussed, the Self-Assessment Questionnaire is a validation tool which can assist Merchants and Service Providers while self-evaluating their PCI Compliance with the Payment Card Industry Data Security Standard (PCI DSS).There are a total of eight different questionnaires (A, A-EP, B, B-IP, C-VT, C, D, PEP2HW) which merchants and service providers can use to demonstrate that they are either compliant with, or working towards, compliance.

Let's take a look at the Questionnaire type A to understand what to expect and who is entitled to complete it.

A general overview of the questionnaire

Choosing the correct questionnaire is vital as an incorrect submission could leave your organisation vulnerable to a greater risk of payment card breach in addition to invalidating your compliance which, in turn, could lead to Card Scheme fines and reputation damage in the event of a data compromise.
Today we look at the questionnaire A and ask who can and cannot use it and why.

For those organisations that are required to be PCI DSS compliant, the questionnaire A is by far the simplest to contend with. Additionally, it is also the smallest form of SAQ, designed for environments in which the risk of payment card data exposure is extremely small.

Who should submit the questionnaire A?

The questionnaire A is intended for merchants who have completely outsourced all CardHolder Data processing functions. For these Merchants all payment acceptance and processing is entirely outsourced to a validated third-party provider which, in most cases, is a payment gateway that facilitates communication with your acquiring bank or is your acquiring bank itself.

In such a scenario you never really interact directly with CardHolder Data in electronic form, be it a text file on your workstation, an excel file, an email, a database or any other software; you simply do not see your client’s data at all unless it is on paper reports or paper receipts that you do not receive electronically.

It is important to note that you can only be considered to be a so called card-not-present merchant if you never see a client’s physical card and you only accept payments over the telephone or via traditional mail (this does not include email), or via an e-commerce website.

I have an e-commerce website and never collect customers data – am I entitled to questionnaire A?

In such a situation you are only entitled to the questionnaire A if your e-commerce website does not receive customers data AND it does not control how consumers, or their data, are redirected to a validated third-party payment processor. This entitlement has been given greater clarity in the "Understanding the SAQs for PCI DSS v3.0" document released by the Payment Card Industry Security Standards Council which we highly suggest reading if you are still unsure).

The guidelines clearly say that you are on the questionnaire A only if one of the following scenarios applies:

• Your website collects CardHolder Data but you have no access to it because is completely hosted and maintained by a third-party PCI DSS Validated service provider. This means if you have System Level access to your webserver or, for example, the possibility to upload web pages via FTP then you are not in this scenario.
• You do have access to your website and maintain it by yourself but you have delegated all the handling of CardHolder Data to a Validated Payment gateway that you have integrated with an inline frame (iFrame), thus the web page collecting the data is not under your control and influence.
• You do have access to your website and maintain it by yourself but you have delegated all the handling of CardHolder Data to a Validated Payment gateway that you have integrated with full redirect method thus the web page collecting the data is not under your control and influence.

The above mentioned guidelines also state that “If any element of a payment page delivered to consumers’ browsers originates from the merchant’s website questionnaire A does NOT apply; however the self-assessment questionnaire A-EP may be applicable” and it goes on to state two scenarios in which you will not be eligible for questionnaire A:

• “Direct Post” which is when the merchant website created the payment form but the data is delivered directly to the payment processor.
• Any other JavaScript-based solution that supports the creation of the payment page and/or how the data is transmitted to the payment processor.

The questionnaire A is not applicable to face-to-face merchants, merchants that keep customers data electronically or eCommerce merchants that integrate with payment gateways with JavaScript or Direct Post.

What type of questions are asked in the Questionnaire A?

Of all the Self-Assessment questionnaires, the type A asks the fewest questions - just 14 in fact - which are based around just two of the twelve requirements of the full Payment Card Industry Data Security Standard. Find the official questionnaire A here.

The first 9 questions cover the physical security of any paper receipt containing customers data that you might have in your organisation and how to keep them safe during their whole life-cycle from receipt to destruction. The good news is that those are not applicable if you don’t have hard-copies of your client’s data.

The remaining 5 questions concern your service providers’ compliance with Payment Card Industry Data Security Standard. As previously mentioned, your organisation will only be eligible for questionnaire A if your service providers are themselves PCI DSS validated. The previous 5 questions are therefore in place to ensure your diligence in choosing your third party provider.

How can your IT Security advisor help?

Advantio is a PCI QSA and PA QSA. As a trusted advisor we can assist with the following:

• If you are on the edge of SAQ A applicability we can offer assistance in redesigning your business processes to ensure that the impact of Payment Card Industry Data Security Standard is minimal to your organisation.
• We can take care of the due diligence process surrounding the selection of service providers.
• We can help write the required policies and procedures.