Call Us
Quote
Resources
PCI Assurance

PCI-DSS: Self-assessment Questionnaire

PCI-DSS: Self-assessment Questionnaire

Author Picture

Published on August 9, 2018 by John DeCesare

Share this article!share this article

LinkedInPin

Diligent merchants tend to actively seek out the best ways to protect cardholder data for their valued customers. The nature of online business dictates that caring business owners look out for their customers’ best interests as they profit from collecting, storing and transmitting their valuable personal and financial information.

A PCI DSS Self-Assessment Questionnaire (SAQ) is a document developed and intended for merchants who commit to PCI DSS accountability and audits. Each participating merchant must complete this set of questions each year and submit it to their acquiring bank that processes their credit and debit card transactions.

Designed, developed and deployed by the PCI Security Standard Council, the SAQ serves as a validation tool that helps merchants and other service providers who are allowed to operate by the various payment brands—American Express, Discover Financial Services, MasterCard, Visa and JCB International—to self-evaluate according to the standards within the PCI DSS.

The Fundamentals of the PCI DSS SAQ to Help You Stay PCI Compliant

Digging a little deeper into the fundamentals about the PCI DSS SAQ will give you a good foundation as you begin developing your own strategy to achieve solid and consistent PCI compliance.

Each SAQ consists of a set of 12 security requirements, which are further subdivided into six broader sections, which are also known as “control objectives.” Each of those six sections targets a specific security concern from the PCI DSS. Each merchant must complete all sections.

For each completed SAQ, a merchant has the opportunity to see and evaluate their own security practices. The results allow merchants to plan compliance according to the requirements of the PCI DSS with a more targeted and solution-oriented focus. Finally, the SAQ provides the acquiring bank the necessary evidence and assurance that the merchant has achieved PCI compliance for the prescribed time frame.

While it seems simple enough to answer some basic questions, there are eight different versions of the SAQ to consider. The version that your company will need to complete depends on the way that your organization handles credit card data, which is called your “validation type.” Some SAQs are short and simple while others are long, complex and technical. Your responses to the first five or six questions will determine your validation type, allowing you to then shift to the appropriate questionnaire for your business’s designation.

You may also explore the four basic levels of PCI compliance to learn where your company falls, based on the size of your business and the number of credit card transactions performed.

These fundamental tidbits can help you get started on the right foot when launching your bid for optimal PCI compliance. Whether your business is new, or you simply want to up your compliance game, these basic points can help you get going in the right direction before tackling the latest PCI DSS SAQ updates.

The Latest Updates for the PCI DSS SAQ: Version 3.2

PCI DSS Version 3.2 (v3.2) SAQ was introduced in 2016 and became officially enforceable February 1, 2018. These new standard compliance requirements have brought some significant changes to the SAQ process to allow for more insightful responses and better overall evaluations of each organization’s controls.

One of the most important aspects of the PCI DSS v3.2 SAQ is its more detailed and in-depth descriptions of the type of test required for your business, whether you are a DSS-validated service provider or a merchant.

Additionally, the newly developed Prioritized Approach takes a more in-depth tack in discussing the 12 requirements of the PCI DSS SAQ process. The Prioritized Approach groups the earlier noted 12 standard PCI DSS requirements into six milestones that serve as a roadmap for designing, developing, implementing and monitoring security policies, protocols and practices. All together, the Prioritized Approach helps your Qualified Security Assessor (QSA) evaluate security controls to facilitate more consistency in their own auditing methods.

Following are the 12 basic requirements of PCI DSS v3.2:

  1. Install and maintain a firewall configuration for all systems and networks
  2. Do not use any vendor-supplied defaults for security procedures, such as passwords
  3. Secure cardholder information throughout the life of storage
  4. Employ encryptions any time that cardholder data is transmitted
  5. Use, maintain and update antivirus software
  6. Design, develop and maintain secure network systems and applications
  7. Restrict user access to cardholder data to essential personnel
  8. Create a unique ID for any persons accessing cardholder data
  9. Restrict and monitor any access to physical cardholder information
  10. Track and monitor any access and interaction involving network systems and cardholder data
  11. Monitor and test processes and systems related to cardholder data
  12. Develop and maintain cardholder data security policies

Each requirement is further broken down to provide in-depth details about the requirement itself, as well as how to comply with each requirement. The goal of providing these requirements is to serve as a guide, so you can easily and confidently find instructions and guidelines to ensure improved PCI compliance.

The Six Milestones can certainly help you navigate the requirements, so take a look at what they entail:

  1. The removal of authentication data from all network storage devices and the limitation of data retained
  2. The protection of points of access for networks and systems, as well as the response to system breaches
  3. The securing of payment card applications within application servers, processes and controls
  4. The monitoring and controlling of all authorized access
  5. The protection of stored data, using key protection mechanisms
  6. The completion of all PCI DSS requirements, along with finalizing related processes, procedures and policies

Attestation of Compliance for PCI DSS

Another crucial component of the PCI DSS SAQ is the Attestation of Compliance, which includes your declaration of eligibility for completing the SAQ and the subsequent results. You might even consider reaching out to a QSA to assist in navigating your SAQ for the most illuminating and useful results. Your QSA can help you make sure that you find errors, inconsistencies and oversights that are within your power to correct before they become official problems that could leave your cardholders vulnerable to systems issues and data breaches.

Are You Ready to Take on the PCI DSS v3.2 SAQ for Top-Tier PCI Compliance?

If you are ready to start delving into the PCI DSS v3.2 changes but feel you need some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are happy to help you expertly cruise through the SAQ best suited to you company.

Call us today at 215-631-3452, start a chat session or send us a message to start asking your own questions about the extremely important Self-Assessment Questionnaire and how we can help you.

Twitter Facebook Google+ LinkedIn Reddit StumbleUpon
Author Picture

Written by

John has over 22 years of experience working in the manufacturing, distribution, not-for-profit, governmental, insurance, public utilities and service industries. John has expertise in various aspects of the accounting, auditing and consulting disciplines. He has directed a full range of value-added services and has consulted to Senior Executives in middle market and Fortune 500 companies. His experience includes Sarbanes-Oxley compliance, SSAE 16 (SOC 1) audits, outsourcing and contract services, financial management, accounting and strategic planning, due diligence, business restructuring / re-engineering, process improvement and risk assessment. Prior to establishing IS Partners LLC, John worked at PriceWaterhouseCoopers, LLC in their business advisory and assurance practice in Philadelphia, PA. John graduated from LaSalle University in Philadelphia, PA.

John DeCesare frequently blogs for I.S. Partners, LLC. Read other articles written by John DeCesare

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (New Site)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
Privacy | Terms | Sitemap | Seals

© 2014-2019 I.S. Partners, LLC.

I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.

I accept I decline
Cookie Policy