PCI-DSS: Self-assessment Questionnaire
Your SAQ and PCI-DSS 3.0: What You Need to Know
As a merchant, your ability to process customer payments is vital to the financial health of your business. Thus, ensuring your PCI-DSS compliance should be among the top priorities of you and your management team. It’s important to remember that this security structure is not meant to be viewed as a set of restrictions placed on how you can and cannot do business, but rather as a set of guidelines to help guarantee a secure payment environment and ensure consumer confidence. Maintaining such a point of view will help bring your organization in line with PCI-DSS compliance standards that much easier.
New in 3.0
As companies have transitioned over to PCI-DSS version 3.0, it’s through the completion of a new self-assessment questionnaire (SAQ) released through PCI that they’re able to get an accurate idea of how these compliance guidelines apply to their organizations and the payment processing methodologies which they follow. Included in this version are brand new SAQ categories as well as new guidelines related to the eligibility criteria of existing SAQs. The new SAQs that come with 3.0 were specifically created to help merchants improve the reporting of information related to each PCI-DSS requirement. More information was also included to help you understand how to completely and accurately fill out your questionnaire. Each section now contains an informative “Before You Begin” section to help you in completing that portion of the assessment.
PCI-DSS 3.0 SAQs also contain three new reporting columns. “Expected Testing” details those tests performed as part of an organization’s assessment of their current standing related to each and every compliance requirement. The two new columns entitled “Yes with CCW” and “N/A” are meant to replace the single “Special” column from version 2.0. This allows for a clearer way to identify a company’s response to meet the demands of the PCI-DSS requirements.
How Will New Changes Affect You?
With these news changes in place, you’re probably left wondering how they impact you and your organization. The most important thing that you’ll want to know related to the updates are the changes in the eligibility criteria, which could impact which SAQ that is right for you. What was appropriate based upon your payment model under 2.0 may have changed drastically under the new structure.
Other changes that you’ll want to be aware of as you complete your SAQ are:
- Previous requirements from version 2.0 that have been clarified or even extended into their own categories of sub-requirements.
- Updated acquirer instructions detailing your company’s appropriate SAQ.
- Additional requirements new to version 3.0 that will also require validation.
As you and your organization prepare to adapt to the new PCI guidance structure, you’re provided with an excellent opportunity to look inward and improve in those areas where your PCI-DSS compliance falls short of accepted standards. Of course, in order to identify such process improvement opportunities, it helps to have an auditing partner who truly understands the new structure and all of its complexities. Our team here at I.S. Partners, LLC is well-versed in PCI-DSS 3.0 and knows exactly how to help raise your security standards in order to maintain a compliant environment. We invite you to allow us to help shed further light on your company’s PCI-DSS responsibilities in this new 3.0 environment, thus enabling you to easily transition to this new set of standards.
If you would like to receive more information about I.S. Partners, LLC, please call 215-675-1400 or email us at [email protected]