Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Irmantas Brazaitis September 25, 2018
In June 2018 the PCI Security Standards Council (SSC) released version 3.2.1 of the Self-Assessment Questionnaires (SAQs). Here, we take a look at the changes introduced and what these mean for you. We will also help you choose the right SAQ for PCI DSS compliance validation for your needs.
If we compare v3.2.1 to v3.2, the only real change that was introduced was the addition to PCI DSS requirement 6.2 (system component and software security patching) to SAQ A. This tells us that the PCI SSC is paying more attention and is increasing the requirements even for e-commerce merchants using URL Redirect and/or iFrame methods (Ref. Information Supplement: Best Practices for Securing E-commerce in Sections 2.1 and 2.2).
There are 8 SAQs available for merchants and one for service providers. This doesn’t make it a trivial task to choose the right one, so let’s try to simplify this with step-by-step instructions. First, let’s start with an overview of all the types of SAQs.
If you would like to get a PDF version of this table to view and print, click here.
It’s a complex table with many options that take time to comprehend (If you feel comfortable reading and understanding it already, please contact our HR team as we might want to hire you immediately!).
Next, we’ll provide you with some tips and guidance on how to manage the table and its outputs systematically.
If you are a service provider and you are eligible for SAQ validation (if in doubt check with the payment brands and/or your QSA), then it’s simple as you can only use SAQ D for service providers. Remember that an entity can be a merchant and a service provider, and it is not uncommon to see a merchant providing transaction processing services to other merchants, making the same entity a service provider too.
If you are a merchant and you are eligible for SAQ validation (always check with your acquirer), you should identify the applicable SAQ type separately for each card payment acceptance channel you have; card-present (brick-and-mortar), MOTO (Mail Order/Telephone Order) and/or e-commerce.
The first question you need to answer is if you store any electronic cardholder data, including any legacy data. If the answer is yes, you don’t need to waste your time looking at different SAQ types, it will be SAQ D. The next step is to review the business need to maintain electronic cardholder data storage. SAQ D is the most complex one, and if cardholder data storage can be avoided you may reduce your compliance efforts significantly by completing a different type of SAQ.
You should approach each card payment channel separately. Let’s start with e-commerce. If you accept e-commerce transactions you can only be eligible for SAQ A, SAQ A-EP or SAQ D. Read all eligibility criteria carefully to determine the applicable SAQ type. As a general rule, e-commerce merchants using URL Redirect and/or iFrame methods will be eligible for SAQ A. E-commerce merchants using Direct Post Method (DPM) and/or JavaScript Form will be eligible for SAQ A-EP. And e-commerce merchants using an API method or any other method will have to work with SAQ D (Ref. Information Supplement: Best Practices for Securing E-commerce Sections 2.1, 2.2, 2.3, 2.4 and 2.5).
For MOTO (Mail Order/Telephone Order) transactions you may be eligible for:
When it comes to card-present (brick-and-mortar merchant) acceptance channel, you have a choice of:
You have to meet all eligibility criteria for the SAQ type you’re aiming for and it may not be simple to achieve. Therefore, we recommend that you should seek guidance from your acquirer and/or QSA whenever in doubt. SAQs C and C-VT are especially tricky to interpret when it comes to the eligibility criteria for network segmentation. You should also not forget voice recordings that may contain cardholder data when accepting telephone payments. This immediately drops you down to SAQ D. Telephone payments are even trickier as you need to consider the technology you’re using, for example, Voice over IP using a company’s network may bring it into scope.
Once you have identified the SAQ types eligible for each of your card payment acceptance channels, you should always contact your acquirer to confirm if you need to complete separate SAQs for each channel. In our experience it is possible to reach an agreement with the acquirer for a merchant to fill-in an SAQ for each card payment acceptance channel, for example, SAQ A for e-commerce, SAQ P2PE for brick-and-mortar and SAQ C-VT for MOTO transactions. Completing these three SAQs is much easier than filling-in one SAQ D.
One more piece of advice we want to leave you with is always to complete and maintain your card data flow diagram(s) (PCI DSS requirement 1.1.3) and an inventory of system components that are in scope for PCI DSS validation (PCI DSS requirement 2.4). You will notice that SAQs A, A-EP (1.1.3 but not 2.4), B, B-IP, C, C-VT and P2PE do not have these requirements listed, but it is key information proving that you have performed the scoping in a right way.
To ensure that you are keeping cardholder data protected, get in touch with our cyber security experts. We will walk you through the journey of compliance, ensuring that nothing is missed.
Information security professional with 12+ years of experience in information security consulting, 2+ years of experience in the role of information security manager, and 2+ years of experience in large scale governmental IT project management. Developed and delivered PCI DSS Implementation and ATM Security training sessions in 15+ different countries. Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council, holding CISM, CISA and CISSP certifications in good standing.
Comments