Prove your payment card security to your bank through an SAQ.
|By: Brand Barney|
Essentially, a PCI questionnaire is a list of security standards that businesses must review and follow. Depending on how you process credit cards, (and depending on how secure that method of processing is) you may be required to fill out a PCI SAQ A (14 questions) down to a PCI SAQ D (329 questions).
Determining which SAQ is appropriate for youThere are 9 different SAQs a merchant must choose from, depending on the way you process, store, or handle credit and debit cards. For example, if you do not have a storefront and all your products are sold online through a third party, you probably qualify for SAQ A or SAQ A EP. If you have a storefront that processes credit cards through the Internet and you also store customer credit card data, you are probably an SAQ D merchant.
SEE ALSO: Updating to PCI 3.2 SAQs: The Changes You Should Know
Here’s the entire list of PCI SAQs.(List updated July 2014 to reflect most recent PCI 3.0 changes)
- A: Ecommerce merchants that fully outsource payment processing
- A EP: Merchants that partially outsource ecommerce
- B: Merchants connected to phone line terminal
- B IP: Merchants with standalone IP-connected processing terminals
- CVT: Merchants that only process via virtual terminal on one computer
- C: Merchants connected to Internet with no electronic storage
- D Merchant: Merchants that store payment card data electronically
- D Service Provider: Service providers that store card data
- P2PE-HW: Merchants that only use P2PE-validated processing terminals
Why is this a requirement?The Self-Assessment Questionnaire isn’t just a roadmap to compliance, it’s a roadmap to great security! Filling out a PCI SAQ is the best way to make sure you aren’t missing any business security requirements. In addition, merchant processors don’t want to work with insecure businesses, so they typically require each merchant to provide their SAQ as proof of payment security.
SEE ALSO: PCI FAQ
Remember that no matter your SAQ letter, you are still required to follow ALL the PCI DSS standards. If you find that some requirements are too technical, SecurityMetrics would love to help, or enlist the help of your IT guru.
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.