Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Payment Card Industry Data Security Standard Self Assessment Questionnaire (PCI DSS SAQ) may be a long and complex phrase to remember but for merchants and service providers it is a vital tool in validating in PCI compliance.
The SAQs that Payment Card Industry Security Standards Council (SSC) provide are designed to aid merchants and service providers in self-evaluating their compliance with PCI Data Security Standard and in doing so they can not only identify and assess their own security practices but it can help them plan further actions in becoming PCI compliant too. The SAQ may also be shown to the merchant or service providers' acquiring bank in order to prove to them that they were PCI compliant in a particular moment in time.
We have already discussed SAQ A and SAQ A-EP in our previous posts. We will continue exploring all the questionnaires during the coming weeks. The one that we are discuss today is Self-Assessment Questionnaire B (SAQ B).
The Self-Assessment Questionnaire B should be filled out by businesses that only process credit card data via imprint machines or via a standalone dial-out terminal.
Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipts, which are then stored by the business. Dial-out terminals, on the other hand, are electronic machines where you can use Chip & PIN, swipe cards or manually key transactions but in order to be eligible for questionnaire B your standalone dial-out terminal can only be connected to a phone line and nothing else.
You can fill out this questionnaire if you run a brick-and-mortar business (card-present) or if you run a mail/telephone order (card-not-present) business as long as you don’t store card data on any computer system. If you are an eCommerce business or if you enter customer card data into a computer or database then you shouldn’t fill it out.
The criteria for taking Self-Assessment Questionnaire B is as follows:
There are several different versions of the PCI DSS SAQ (Questionnaire B being one of them), which apply to different types of businesses that offer different things. However, all self-assessment questionnaires are the same in that they all consist of 'yes' or 'no' questions and they all include an Attestation of Compliance which certifies that you are eligible to perform the SAQ and that you have chosen the right one for your business.
"If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment"
“you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant"
For this reason, it's probably a good idea to take a look at what sort of questions are in SAQ B, so that you can ensure that this really is the right SAQ type for your business.
The questions in SAQ B relate to section 3 (protecting cardholder data), section 4 (the encryption of cardholder data during transmission over open, public networks), section 7 (restricted access to cardholder data by business need to know), section 9 (restriction of physical access to cardholder data) and section 12 (policies that address information security for all personnel). The following questions are taken from the questionnaire and are listed alongside the section that they relate to:
These questions also come with a list of expected testing which may be something like 'observe processes', 'review policies and procedures' or 'examine data sources'. It is important to pay attention to these as if you do not meet the criteria for a question or do not understand it, the expected testing list provides you with actions that you can do in order to answer the questions appropriately.
Advantio are PCI Compliance experts and can aid your company in achieving compliance.
As a trusted advisor, our QSAs (Quality Security Assessors) can support an organisation in understanding the requirements, verify eligibility and can help with the completion of any SAQ. We can guide your company on the path to compliance, supporting you every step of the way.
Achieve and maintain PCI Compliance continually, keep your business safe and healthy by making sure that you retain your customer’s trust.
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA