Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
SAQs (Self-Assessment Questionnaires) are one way that merchants can validate their PCI DSS compliance to acquiring banks and to the PCI Security Standard Council (PCI SSC). Incredibly important in terms of how you keep cardholder data safe, there are eight SAQs to choose from: A, A-EP, B, B-IP, C, C-VT, D, and P2PE.
Having talked you through six of the existing Self-Assessment Questionnaires so far, next up is PCI DSS SAQ D.
This Self-Assessment Questionnaire happens to be the largest that an organisation can possibly take (all other SAQs' questions are taken from this questionnaire) and so it is incredibly important that you're absolutely certain that you should be taking it. You don't want to spend hours filling it out now, only to realise that it's the wrong one later on!
This particular questionnaire applies to any and all types of merchants, so the easiest way to tell if you should be taking it (and the first question you should ask yourself before doing so) is whether or not you store cardholder data digitally.
This may include storing data online in relation to e-commerce transactions or if you are a telemarketing company that handles cardholder data over the phone, and then those phone calls are stored and saved (e.g for training purposes or quality check).
Another question you should ask yourself is whether or not the other SAQs apply to you. SAQs have very specific criteria (for example, SAQ A is for merchants that outsource cardholder data processing functions and SAQ B is for those that transmit data via a dial-up connection) and so if your organisation doesn't fit the criteria of any other SAQ questionnaire, then you should take SAQ D. Questionnaire D specifically states that "[..] is for merchants who do not meet the criteria for any other SAQ type".
This list of merchant criteria provides some additional pointers:
The other key reason for taking this questionnaire, is that you are a Service Provider (defined as any company that provides a service related to payment cards, e.g if your organisation works with merchants or even banks). Service Providers do not need to look at the criteria of the other SAQs as they have to take SAQ D by default; there is no other SAQ for them.
When we said that Self-Assessment Questionnaire D is one huge document, we really weren't kidding!
Overall, SAQ D has 263 questions for you to answer, which is an absolutely phenomenal amount. Though, the questions are split up and sectioned off according to the 12 different PCI requirements, which makes them a little bit easier to get through - and we should also note that the questions are exactly the same for merchants and service providers.
Moreover, each question can be answered with "No", "Yes", "Yes with CCW" (Compensating Control Worksheet) or N/A (Not Applicable) and, if you answer "No" to any of the questions, the questionnaire also offers information on how to fix that particular problem and make your organisation compliant.
Here are some examples of the questions that you can find within the questionnaire:
With so many questions featured in SAQ D, it may seem like a difficult, impossible task. But with the help of a QSA (Qualified Security Assessor) that is an expert in PCI DSS compliance, finding out what the right questionnaire is for your company and achieving PCI compliance can become a stress-free process.
PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).
Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.