New White Paper: “The Complete Guide to Enterprise Risk Management” DOWNLOAD NOW
Author Picture

Updated on August 9, 2018 by Mark Keppler

Share this article!share this article
Listen to: "PCI-DSS: Self-assessment Questionnaire"

Diligent merchants tend to actively seek out the best ways to protect cardholder data for their valued customers. The nature of online business dictates that caring business owners look out for their customers’ best interests as they profit from collecting, storing and transmitting their valuable personal and financial information.

A PCI DSS Self-Assessment Questionnaire (SAQ) is a document developed and intended for merchants who commit to PCI DSS accountability and audits. Each participating merchant must complete this set of questions each year and submit it to their acquiring bank that processes their credit and debit card transactions.

Designed, developed and deployed by the PCI Security Standard Council, the SAQ serves as a validation tool that helps merchants and other service providers who are allowed to operate by the various payment brands—American Express, Discover Financial Services, MasterCard, Visa and JCB International—to self-evaluate according to the standards within the PCI DSS.

The Fundamentals of the PCI DSS SAQ to Help You Stay PCI Compliant

Digging a little deeper into the fundamentals about the PCI DSS SAQ will give you a good foundation as you begin developing your own strategy to achieve solid and consistent PCI compliance.

Each SAQ consists of a set of 12 security requirements, which are further subdivided into six broader sections, which are also known as “control objectives.” Each of those six sections targets a specific security concern from the PCI DSS. Each merchant must complete all sections.

For each completed SAQ, a merchant has the opportunity to see and evaluate their own security practices. The results allow merchants to plan compliance according to the requirements of the PCI DSS with a more targeted and solution-oriented focus. Finally, the SAQ provides the acquiring bank the necessary evidence and assurance that the merchant has achieved PCI compliance for the prescribed time frame.

While it seems simple enough to answer some basic questions, there are eight different versions of the SAQ to consider. The version that your company will need to complete depends on the way that your organization handles credit card data, which is called your “validation type.” Some SAQs are short and simple while others are long, complex and technical. Your responses to the first five or six questions will determine your validation type, allowing you to then shift to the appropriate questionnaire for your business’s designation.

You may also explore the four basic levels of PCI compliance to learn where your company falls, based on the size of your business and the number of credit card transactions performed.

These fundamental tidbits can help you get started on the right foot when launching your bid for optimal PCI compliance. Whether your business is new, or you simply want to up your compliance game, these basic points can help you get going in the right direction before tackling the latest PCI DSS SAQ updates.

The Latest Updates for the PCI DSS SAQ: Version 3.2

PCI DSS Version 3.2 (v3.2) SAQ was introduced in 2016 and became officially enforceable February 1, 2018. These new standard compliance requirements have brought some significant changes to the SAQ process to allow for more insightful responses and better overall evaluations of each organization’s controls.

One of the most important aspects of the PCI DSS v3.2 SAQ is its more detailed and in-depth descriptions of the type of test required for your business, whether you are a DSS-validated service provider or a merchant.

Additionally, the newly developed Prioritized Approach takes a more in-depth tack in discussing the 12 requirements of the PCI DSS SAQ process. The Prioritized Approach groups the earlier noted 12 standard PCI DSS requirements into six milestones that serve as a roadmap for designing, developing, implementing and monitoring security policies, protocols and practices. All together, the Prioritized Approach helps your Qualified Security Assessor (QSA) evaluate security controls to facilitate more consistency in their own auditing methods.

Following are the 12 basic requirements of PCI DSS v3.2:

  1. Install and maintain a firewall configuration for all systems and networks
  2. Do not use any vendor-supplied defaults for security procedures, such as passwords
  3. Secure cardholder information throughout the life of storage
  4. Employ encryptions any time that cardholder data is transmitted
  5. Use, maintain and update antivirus software
  6. Design, develop and maintain secure network systems and applications
  7. Restrict user access to cardholder data to essential personnel
  8. Create a unique ID for any persons accessing cardholder data
  9. Restrict and monitor any access to physical cardholder information
  10. Track and monitor any access and interaction involving network systems and cardholder data
  11. Monitor and test processes and systems related to cardholder data
  12. Develop and maintain cardholder data security policies

Each requirement is further broken down to provide in-depth details about the requirement itself, as well as how to comply with each requirement. The goal of providing these requirements is to serve as a guide, so you can easily and confidently find instructions and guidelines to ensure improved PCI compliance.

The Six Milestones can certainly help you navigate the requirements, so take a look at what they entail:

  1. The removal of authentication data from all network storage devices and the limitation of data retained
  2. The protection of points of access for networks and systems, as well as the response to system breaches
  3. The securing of payment card applications within application servers, processes and controls
  4. The monitoring and controlling of all authorized access
  5. The protection of stored data, using key protection mechanisms
  6. The completion of all PCI DSS requirements, along with finalizing related processes, procedures and policies

Attestation of Compliance for PCI DSS

Another crucial component of the PCI DSS SAQ is the Attestation of Compliance, which includes your declaration of eligibility for completing the SAQ and the subsequent results. You might even consider reaching out to a QSA to assist in navigating your SAQ for the most illuminating and useful results. Your QSA can help you make sure that you find errors, inconsistencies and oversights that are within your power to correct before they become official problems that could leave your cardholders vulnerable to systems issues and data breaches.

Are You Ready to Take on the PCI DSS v3.2 SAQ for Top-Tier PCI Compliance?

If you are ready to start delving into the PCI DSS v3.2 changes but feel you need some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are happy to help you expertly cruise through the SAQ best suited to you company.

Call us today at 215-631-3452, start a chat session or send us a message to start asking your own questions about the extremely important Self-Assessment Questionnaire and how we can help you.

Author Picture

About Mark Keppler

Senior Director of Information Security Mark is a Senior Director in the IS Partners Information Security Practice providing clients with Information Systems Security, Risk Assessment, and IT audit services. Mark has over 20 years of experience in IT Risk and Controls, including IT Audit, PCI DSS Compliance assessments, Risk Assessment, working with Security Frameworks (such as ISO and NIST), Vulnerability Management, Disaster Recovery / Business Continuity, Vendor Management / Due Diligence, and Data Privacy. Mark has experience in a variety of industries, including Banking and financial services, Insurance, Retail, Utilities, and Education.Mark served as Chief Information Security Officer of a New Jersey based Bank prior to joining IS Partners where he was responsible for Security, Disaster Recovery / Business Continuity, Third Party Risk Management, and Risk Assessment. During his tenure as CISO Mark implemented an Information Security Management System which included a redesign of critical security / risk management processes for example:Patch and Vulnerability Management Risk Assessment Process Incident Response Process Asset Management Complete re-write of the Bank’s Security PoliciesMark holds the CISA, CISSP, PCI QSA, and ISO27001 Lead Auditor certifications. Read other articles written by Mark Keppler

Related Articles

How to Keep Employees and Your Organization PCI Compliant How to Keep Employees and Your Organization PCI Compliant
How to Keep Employees and Your Organization PCI Compliant
Is Your Server PCI Compliant? Is Your Server PCI Compliant?
Is Your Server PCI Compliant?
Changes Are on the Horizon from PCI SSC: Phasing Out PA-DSS v3.2 in 2022 Changes Are on the Horizon from PCI SSC: Phasing Out PA-DSS v3.2 in 2022
Changes Are on the Horizon from PCI SSC: Phasing Out PA-DSS v3.2 in 2022
PCI DSS 4.0 Is Coming in 2020: What to Expect PCI DSS 4.0 Is Coming in 2020: What to Expect
PCI DSS 4.0 Is Coming in 2020: What to Expect
Untitled-1

Get Hassle-free Pricing in 3 Easy Steps

1
Request a quote using the form below
2
Allow us to create a customized plan
3
We'll get you an accurate, no-obligation quote
Untitled-1Asset 1Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
Privacy | Terms | Sitemap | Seals

© 2020 I.S. Partners