Even if you are familiar with the version 3.2 update from the Payment Card Industry Data Security Standard (PCI DSS), you may still need to iron out some of the fine details, such as those associated with the self-assessment questionnaire.
What Is the Purpose of the PCI DSS Self-Assessment Questionnaire?
The PCI DSS self-assessment questionnaire (SAQ) is a validation tool that merchants and other service providers use to report the results of their PCI DSS self-assessment. Merchants complete a SAQ every year and submit it to their acquiring bank to evaluate their compliance with the PCI DSS. In addition to letting the acquiring bank know that the merchant is in compliance, the SAQ helps merchants detect security practice breaches, which gives them the chance to make corrections before they become a bigger problem.
What Does the Basic Self-Assessment Questionnaire Entail?
Each SAQ consists of 12 individual sections, which are further broken down into six broader sections called “control objectives.” Each section focuses on a specific area of PCI DSS security, and all sections must be completed.
The 12 Requirements for PCI DSS Compliance
Each new version of the PCI DSS has divided the 12 requirements for compliance into a number of different sub-requirements, depending on the nature of the SAQ and what it is designed to reveal. However, the 12 high-level requirements have remained the same since the inception of the PCI DSS self-assessment questionnaire testing tool.
The “expected testing” column of each SAQ provides merchants with high-level descriptions of each type of testing activity that needs to be performed to indicate whether the merchant is, or is not, compliant. Starting with Version 3, the SAQ has been updated to provide more guidance and reporting information for each PCI DSS requirement.
What Does It Take to Pass or Fail the Self-Assessment Questionnaire?
The merchant must pass—or have the ability to say “not applicable”–to all the questions in order to be considered compliant with the PCI DSS. Missing a single question deems the merchant non-compliant, and they must immediately address and remedy the risk revealed through the SAQ.
How to Choose the Best SAQ?
You may feel confident enough to determine the right SAQ for your business, or you may rely on a team of Qualified Security Assessors (QSAs), certified by the PCI Security Standards Council to help you sort it out.
What’s New with the PCI DSS Version 3.2 SAQ?
The new PCI DSS Version 3.2 SAQ offers you more in-depth descriptions of the type of test you may need to serve your business, whether you are a merchant or PCI DSS-validated service provider.
If you want to try to understand the best SAQ for your organization, take a look at the following brief SAQ test descriptions for the Version 3.2 update:
This test focuses on card-not-present merchants like those working in e-commerce and telephone sales. These merchants have fully outsourced cardholder data to a third-party service provider.
Only applicable to e-commerce sellers who have outsourced all payment processing to validated PCI DSS compliant third-party service providers.
This test is only applicable to merchants who use imprint machines with no electronic cardholder data storage or at standalone dial-out terminals that do not store data.
This type of SAQ is only used for merchants using only standalone, PTS-approved payment terminals. In this test, there is an IP connection to the payment processor, but there is no electronic cardholder data storage.
This test is for merchants who manually enter a single transaction into an internet-based virtual payment terminal solution.
This test is meant for merchants who have payment application systems directly connected to the internet, but they do not have electronic cardholder data storage.
In this type of testing, merchants only use hardware payment terminals included in and managed by a validated PCI SSC-listed P2PE solution and has no electronic cardholder data storage.
There are two versions of this test. The first version is for all merchants not included in the preceding test descriptions. The second version is for all service providers defined and authorized by a payment brand as eligible to take a SAQ test.
Are You Ready for Your SAQ to Determine PCI DSS Version 3.2 Compliance?
Do you know which test is right for your business? If you feel uncertain and have questions, or if you need the assistance of a team of Qualified Security Assessors, I.S. Partners can help.
Contact us by sending us a message or calling us at 215-675-1400 to let us know what you need to help you pass your next SAQ to keep your business compliant with the PCI DSS Version 3.2 update. Together, we can figure out the best option for you.