PCI Compliance – Which SAQ Are You?

August 10, 2016 The TNS Group

If you handle credit card transactions you will no doubt have heard about PCI Compliance.  How do you know whether you are in compliance or not? Well, there is the enticingly titled Payment Card Industry Data Security Standard Self Assessment Questionnaire (PCI DSS SAQ) to give you the answer. Often written as PCI SAQ, this validation tool is intended to aid merchants and/or service providers in reporting their results after completing their PCI DSS Self-Assessment.

All merchants and service providers are required to comply with the PCI DSS as it applies to their environments at all times, but why is it so important? Non-compliance could lead to a security breach and subsequent compromise of payment card data which has far-reaching consequences for affected organizations, including:

1. Regulatory notification requirements

2. Loss of reputation

3. Loss of customers

4. Potential financial liabilities (for example, regulatory and other fees and fines)

5. Litigation

Some common examples of failures include

  • Missing and outdated security patches
  • Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems)
  • Default system settings and passwords not changed when the system was installed
  • Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website

So hopefully I’ve grabbed your attention, and you have realized that you must pay closer attention to your PCI SAQ.  Now you must be wondering, how do you know what SAQ is applicable to you?

The following table outlines the guidelines:

SAQ Type Description
A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
B Merchants using only: Imprint machines with no electronic cardholder data storage; and/or
Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
D-MER All merchants not included in descriptions for the above SAQ types.
D-SP All service providers defined by a payment brand as eligible to complete a SAQ.

If you have any further questions on PCI Compliance, contact The TNS Group and we can help ensure that your systems are both secure and abiding.

By: Richard Werner, Business Development, The TNS Group

, , , ,