PCI-DSS: Self-assessment Questionnaire

Diligent merchants tend to actively seek out the best ways to protect cardholder data for their valued customers. The nature of online business dictates that caring business owners look out for their customers’ best interests as they profit from collecting, storing and transmitting their valuable personal and financial information.

A PCI DSS Self-Assessment Questionnaire (SAQ) is a document developed and intended for merchants who commit to PCI DSS accountability and audits. Each participating merchant must complete this set of questions each year and submit it to their acquiring bank that processes their credit and debit card transactions.

Designed, developed and deployed by the PCI Security Standard Council, the SAQ serves as a validation tool that helps merchants and other service providers who are allowed to operate by the various payment brands—American Express, Discover Financial Services, MasterCard, Visa and JCB International—to self-evaluate according to the standards within the PCI DSS.

The Fundamentals of the PCI DSS SAQ to Help You Stay PCI Compliant

Digging a little deeper into the fundamentals about the PCI DSS SAQ will give you a good foundation as you begin developing your own strategy to achieve solid and consistent PCI compliance.

Each SAQ consists of a set of 12 security requirements, which are further subdivided into six broader sections, which are also known as “control objectives.” Each of those six sections targets a specific security concern from the PCI DSS. Each merchant must complete all sections.

For each completed SAQ, a merchant has the opportunity to see and evaluate their own security practices. The results allow merchants to plan compliance according to the requirements of the PCI DSS with a more targeted and solution-oriented focus. Finally, the SAQ provides the acquiring bank the necessary evidence and assurance that the merchant has achieved PCI compliance for the prescribed time frame.

While it seems simple enough to answer some basic questions, there are eight different versions of the SAQ to consider. The version that your company will need to complete depends on the way that your organization handles credit card data, which is called your “validation type.” Some SAQs are short and simple while others are long, complex and technical. Your responses to the first five or six questions will determine your validation type, allowing you to then shift to the appropriate questionnaire for your business’s designation.

You may also explore the four basic levels of PCI compliance to learn where your company falls, based on the size of your business and the number of credit card transactions performed.

These fundamental tidbits can help you get started on the right foot when launching your bid for optimal PCI compliance. Whether your business is new, or you simply want to up your compliance game, these basic points can help you get going in the right direction before tackling the latest PCI DSS SAQ updates.

The Latest Updates for the PCI DSS SAQ: Version 3.2

PCI DSS Version 3.2 (v3.2) SAQ was introduced in 2016 and became officially enforceable February 1, 2018. These new standard compliance requirements have brought some significant changes to the SAQ process to allow for more insightful responses and better overall evaluations of each organization’s controls.

One of the most important aspects of the PCI DSS v3.2 SAQ is its more detailed and in-depth descriptions of the type of test required for your business, whether you are a DSS-validated service provider or a merchant.

Additionally, the newly developed Prioritized Approach takes a more in-depth tack in discussing the 12 requirements of the PCI DSS SAQ process. The Prioritized Approach groups the earlier noted 12 standard PCI DSS requirements into six milestones that serve as a roadmap for designing, developing, implementing and monitoring security policies, protocols and practices. All together, the Prioritized Approach helps your Qualified Security Assessor (QSA) evaluate security controls to facilitate more consistency in their own auditing methods.

Following are the 12 basic requirements of PCI DSS v3.2:

1. Install and maintain a firewall configuration for all systems and networks
2. Do not use any vendor-supplied defaults for security procedures, such as passwords
3. Secure cardholder information throughout the life of storage
4. Employ encryptions any time that cardholder data is transmitted
5. Use, maintain and update antivirus software
6. Design, develop and maintain secure network systems and applications
7. Restrict user access to cardholder data to essential personnel
8. Create a unique ID for any persons accessing cardholder data
9. Restrict and monitor any access to physical cardholder information
10. Track and monitor any access and interaction involving network systems and cardholder data
11. Monitor and test processes and systems related to cardholder data
12. Develop and maintain cardholder data security policies

Each requirement is further broken down to provide in-depth details about the requirement itself, as well as how to comply with each requirement. The goal of providing these requirements is to serve as a guide, so you can easily and confidently find instructions and guidelines to ensure improved PCI compliance.

The Six Milestones can certainly help you navigate the requirements, so take a look at what they entail:

1. The removal of authentication data from all network storage devices and the limitation of data retained
2. The protection of points of access for networks and systems, as well as the response to system breaches
3. The securing of payment card applications within application servers, processes and controls
4. The monitoring and controlling of all authorized access
5. The protection of stored data, using key protection mechanisms
6. The completion of all PCI DSS requirements, along with finalizing related processes, procedures and policies

Attestation of Compliance for PCI DSS

Another crucial component of the PCI DSS SAQ is the Attestation of Compliance, which includes your declaration of eligibility for completing the SAQ and the subsequent results. You might even consider reaching out to a QSA to assist in navigating your SAQ for the most illuminating and useful results. Your QSA can help you make sure that you find errors, inconsistencies and oversights that are within your power to correct before they become official problems that could leave your cardholders vulnerable to systems issues and data breaches.

Are You Ready to Take on the PCI DSS v3.2 SAQ for Top-Tier PCI Compliance?

If you are ready to start delving into the PCI DSS v3.2 changes but feel you need some extra guidance, our team at I.S. Partners, LLC. can help. Our QSAs are happy to help you expertly cruise through the SAQ best suited to you company.

Call us today at 215-631-3452, start a chat session or send us a message to start asking your own questions about the extremely important Self-Assessment Questionnaire and how we can help you.