SAQ C: Securing Your Payment Application
See what’s required for this SAQ.
|By: Jen Stone|
SAQC merchants process cardholder data via point-of-sale (POS) systems or other payment application systems connected to the Internet. They don’t store cardholder data on any computer system, and they can be either card-present or card-not-present merchants.
Here’s a quick look into what you should know about SAQ C.
Who qualifies for SAQ C?You should fill out this SAQ if the following qualifiers apply to you:
- Your business has a payment application system and an Internet connection on the same device and/or same local area network (LAN)
- The payment application system isn’t connected to any other systems within your environment
- The POS environment isn’t connected to other locations, and any LAN is for a single location only
- Any cardholder data your business retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
- Your company does not store cardholder data in electronic format
What’s the difference between SAQ C and SAQ C-VT?SAQ C-VT applies to merchants who process payments via virtual payment terminals, while SAQ C deals with isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.
SEE ALSO: SAQ C-VT: The Basics You Should Know
What requirements does this SAQ cover?SAQ C touches on all the requirements, but some requirements call for more attention than others.
- Requirement 1: Install and maintain a firewall configuration to protect data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Requirement 12: Maintain a policy that addresses information security for all personnel
What questions will I answer?SAQ C has a total of 160 questions. Here are some sample questions you may be required to answer.
- Is inbound and outbound traffic restricted to what’s necessary for the cardholder data environment?
- Are vendor-supplied default credentials always changed before installing a system on the network?
- Is sensitive authentication data deleted or made unrecoverable after the authorization process?
- Are only trusted keys and/or certificates accepted?
- Is anti-virus software deployed on all systems commonly affected by malicious software?
- Are critical security patches installed within one month of release?
- Are individuals assigned access based on their job classification and function?
- Are all users assigned a unique ID before allowing them to access system components or cardholder data?
- Are user passwords/passphrases changed at least once every 90 days?
- Is all media destroyed when it is no longer needed for business or legal reasons?
- Are audit logs retained for at least one year?
- Are quarterly internal vulnerability scans performed?
- Is a list of service providers maintained, including a description of the service(s) provided?
Additional tipsHere are a few other things to consider when filling out SAQ C:
- Document everything: Make sure you’re documenting all policies and procedures. It helps you keep everything organized and protects you from liability
- Segment your networks: Keeping your card data environment separate from the rest of your business can help reduce your PCI scope
- Talk to a Qualified Security Assessor: If you’re not familiar with PCI, it’s a good idea to talk to someone who is. PCI experts can help you find areas where you’re lacking in security
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.