PCI SAQ (Self Assessment Questionnaire) What Is It

c9The PCI compliance Self Assessment Questionnaire needs to be completed by merchants every 12 months, and is the most comprehensive way to check if your business is PCI compliant.

It’s likely that in recent months you’ve heard of a business suffering a breach of its customers payment card data. It occurs so often now, we all hear about it, and forget about the event quickly.

A 2015 study by Javelin Strategy & Research, found that US$16 billion was stolen from 12.7 million consumers in 2014 in the United States alone, that’s 1 in 100 people. There was a new identity fraud victim every two seconds in 2014.

There is just one set of recognized standards to protect your business from these attacks: the Payment Card Data Security Standard (PCI DSS, known as PCI Compliance).

Not being PCI compliant doesn’t only betray your customers’ trust, but breaches will subject your business to steep fines and expenses.

Keeping your business in-line, however, is easier than you think.

How to complete the Self-Assessment Questionnaire (SAQ) – To become PCI compliant, your business needs to meet the standards set according to the security category it falls into. Most businesses (likely yours too) belong to category 3 or 4, which involve the same procedures: Fill in a Self-Assessment Questionnaire (SAQ) and at minimum, a Quarterly PCI Compliance scan, run by an Approved Scanning Vendor (ASV).

The Payment Card Industry Data Security Standard (PCI DSS) defines the SAQ as “a validation tool to assist merchants and service providers in demonstrating their compliance.”

The SAQ can be completed by a person in your business (possibly yourself), and is the first step on the path to becoming PCI compliant. The Self-Assessment Questionnaire, as the name implies, is completed by a representative officer from your business, this could be the IT Manager, the CFO, or anyone with knowledge of how the business works.

The First Step to Completing a SAQ

The first step is to identify the SAQ category your business falls under – which varies depending on how you process, store and transmit customers’ payment card data – that applies to your business.

SAQ A: Card not present merchants (e-commerce or mail/telephone-order) with all cardholder data functions outsourced.

SAQ B: Imprint-only merchants with no electronic card holder data storage, or, Stand-alone dial-up terminal merchants with no electronic card holder data storage.

SAQ C: Merchants with payment systems connected to the Internet and no electronic cardholder data storage.

SAQ D: All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ D.

There are more, but this covers the basics.

Once you have identified the category applicable to your business you must then fill in the relevant SAQ and Attestation of Compliance (AoC) PDF form.

Use the SAQ form as a guide to evaluate your business’s security protocols. Any potential risks in your business’s payment system highlighted by the SAQ must be addressed and then the questionnaire retaken, until you can answer every question with ‘pass’ or ‘not applicable’, to achieve compliance with the required PCI Data Security Standard.

The final step to becoming PCI Compliant

Once your business satisfies all the requirements outlined in the SAQ, the next step is to undergo a PCI Compliance scan on your website / payment system.


What Is a QSA

c3Since the formation of Payment Card Industry Data Security Standards back in 2004, PCI DSS has setup its requirement for financial service providers and large merchants to use QSAs to carry out onsite assessments and to check on Compliance and security. QSA stands for Qualified Security Assessors; it is a designation awarded to individuals by the PCI Security Standards Council, whom it finds qualifying to execute consulting services and PCI assessments.

Recently, PCI DSS has expanded to take in its guidelines for training QSAs and some other advancement. Still QSAs and the services they provide do vary a lot. With assessors, the thoroughness, methodologies, technical skills and some other areas differ a lot.

The PCI DSS V2.0

The PCI DSS v2.0 released on 30th October includes number of classifications and further areas of guidance for assessments. The standard according to new version states that the first step of any PCI DSS assess is to describe the scope of assessment, by pointing out clear maps (locations and flows) of cardholder information within a system.

A lot of organizations are not aware about every single location where the card holder information is situated in their systems. A QSA must have understanding about application data handling, network architecture, operating system security, storage and database technology, and other business and IT functions in order to carry out those assessments.

Virtualization Technology

A new guidance has also been added in the PCI DSS v2.0 which is its grant of using virtualization technologies and how to assess them. As many organizations are looking to handle cost efficiencies savings through implementation of application and server virtualization, it is a must for the QSAs to know more about this technology and how it differs from the traditional server/client technologies they are using for assessment.

Through virtualization numerous server instances can be developed and run from a single physical system. This has been considered as non compliant by many QSAs in the past. PCI v2.0 Section 2.2.1 permits the use of virtualization; but makes it clear to run only one function on a single virtual server like one machine will run database services, while another will be used for running web services. So it is important for the QSAs to know about virtualization specific controls, virtual network segmentation and the IT controls which come in use with the virtualization platforms.

Choosing a QSA

Once you select a QSA, the relationship might develop into a long one. It is necessary for the organizations to look for a QSA that knows about the same technology that is needed to be audited. In order to hire a QSA, the companies must gather information about business requirements; develop a detailed interview about past experiences (of QSA) and must choose a time for onsite review and planning or meeting. Make sure that the individual QSA you spoke and work with for carrying out collection of data and assessment and who will eventually be coming onsite for managing assessment are the same.

The QSA firm will have great effects on your compliance and security for a long time. Making the right decision regarding QSA selection will turn out in great advantage for both fulfilling the PCI DSS Compliance requirements as well as making your security system for a longer period of time.


Is PCI Compliance Expensive

c2There are a couple of reasons on which cost of PCI DSS Compliant depends, which includes the type of your business, annual number of transactions, current IT infrastructure, and the existing credit/debit card network of processing and storing data.

Possible PCI Compliance Fees

According to estimations, the largest merchants of nation, categorized as Level 1 merchants (having more than 6 million transactions a year), spent $125,000 assessing the possible required PCI related work and an addition of $568,000 to meet the PCI requirements.

Reports state that level one 1 merchant, a national retailer having 210 stores, spent about $500,000 to become compliant. Furthermore, Level 2 merchants carrying out annual transactions in between 1 and 6 million may require spending $105,000 for assessment and an addition of $267,000 for compliance.

Level 3 merchants carrying out e commerce transactions between 20,000 to1, 000,000 are supposed to spend $44, 000 for assessing and $81, 000 more for compliance. The level 4 merchants handling e commerce transactions below 20,000 have different prices to pay for being compliant, which depends on the type of business.

Additional Costs

The costs of being PCI Compliant just don’t end here; instead, there are a couple of additional costs. This might include the fee required for software and hardware upgrading, if the data is stored in house. According to calculations an organization having 100,000 credit cards on file is required to give $6 in encryption costs per card. On the other hand, technologies like tokenization can be used by the merchants. In tokenization (in which data storage is remote) there is a per transaction fee in place of upfront cost. In all of these estimates no opportunity and cost labor cost of other profit making endeavors has been included.

Requirements of the Merchants

A merchant accepting, processing or storing credit card data needs to be compliant. It is still essential for small retailers and restaurants using a single POS system or terminal to be PCI Compliant. Both businesses are required to fill out Self Assessment Questionnaire, but the compliance process is much less involved. POS systems used by merchants are required to stay extra careful to make sure that no prohibited card data is being stored improperly and are needed to validate their vendor as PABP compliant (soon to become PA DSS).

Cost for Being Non compliant

Being noncompliant is not an option and every large merchant is required to be PCI Compliant otherwise they will be imposed with huge monthly fines. A merchant being noncompliant has to pay additional interchange cost which will result in higher processing cost. The card brands are most likely to charge fines when a merchant is noncompliant at the time of data breach.

Also, the discovery and face remediation costs can be huge than the fines itself. The cost of data security break can be anywhere from $90 to $305 per customer data breached. Some merchants find PCI DSS requirements quite annoying and get frustrated about it; while some consider it as basic security requirements and think that it should be in place.


Should Everyone Become PCI Compliant

c1In PCI Compliance, there is a lot more to your business than your website. If your business is dealing with credit card numbers over phone, or carries out face-to-face transactions, or holds up records of credit card number; then all of this has nothing to do with your website and it is really necessary for your business to meet up with PCI requirements. Well, now a question might come in your mind that does every business needs to be PCI Compliant; the answer to it has already been given above. In this article you will find answers to the question that trouble you with PCI requirements.

Should I Be Worried About PCI Compliance?

A business receiving payments through credit cards from customers needs to be PCI compliant, even if that business gets paid via credit card once in a year. The number of transactions doesn’t matter at all, even if your website is accepting third party services like PayPal or Google Checkout you are required to be PCI Compliant because it is your business that is accepting payments via credit cards and not your website.

What Will Happen If I Am Not PCI Compliant?

If your business is not according to the PCI Compliance requirements and your site’s security happens to get breached; then huge penalties will be imposed on your business ranging from $5,000 to $500,000. The fines are the first thing you will face due to being non compliant and there will be numerous other damages to your business that you will start seeing.

Terminated Merchant File

If your business is not PCI compliant; then you might lose your merchant account, which means that you won’t be able to carry out any credit card payments. Not only this, but you will also be place in the Terminated Merchant File (TMF) of MasterCard/ Visa, which will make ineligible to get another merchant for at least a couple of years. The TMF is actually a BLACKLIST for the merchants from which getting your name removed is nearly impossible.

The Terminated Merchant File is sometimes also known as The Match File, once a merchant gets his added in this file; his name, name of the business, address of home and business all are written in a record. So it is no use to apply again on the name of another family member or business partner because according to documentation, it will be taken as the same business and location (which is already blacklisted).

Card holder Data Environment

Does setting up Firewall Configuration will limit direct public access between internet and any system included in the card holder data environment? Well it depends; the cardholder data includes everything of your website as well as the database. A database server must have its own physical server that should be connected to a VPN.

Even if the data isn’t being stored by your database, it is however giving content to your site which transmits and collects the card holder information that is why it is included in the card holder data environment.