Learn what merchants must do to fill out SAQ D

Michael Simpson, QSA, CISSP
By: Michael Simpson
Principal Security Analyst
Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) D is the longest SAQ mostly because it deals with securing electronic card data that businesses process, store, and transmit. It’s vital that businesses secure this data, which is why the process for filling out this SAQ is fairly extensive.
Here are some things merchants should know about SAQ D.

Who qualifies for SAQ D?  

SAQ D, PCI DSSSAQ D applies to merchants who don’t meet the criteria for any other SAQ type. This SAQ handles merchants who store card data electronically and do not use a P2PE certified POS system. Some examples include:
  • E-commerce merchants who accept cardholder data on their website
  • Merchants with electronic storage of cardholder data
  • Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
  • Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment 

What requirements does the SAQ cover? 

Similar to SAQ C, SAQ D covers all 12 of the PCI DSS requirements as follows:
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data 
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel
Keep in mind that while many organizations completing SAQ D will need to be compliant with each requirement, some organizations with very specific business models may find that some requirements do not apply. Examples include:
  • Questions specific to securing wireless technologies only need to be answered if wireless is present anywhere in your network. (Requirements 1.2.3, 2.1.1, and 4.1.1)
  • Questions specific to application development and secure coding only should be answered if your organization develops its own applications. (Requirements 6.3 and 6.5)
  • Questions for Requirements 9.1.1 and 9.3 should be answered for facilities that have any area that houses systems that store, process, or transmit cardholder data. 

What questions will I be answering? 

Here are some sample questions you will be answering. Remember that these are only a few of many.
    PCI SAQ, Self-assessment questionnaire
  • Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?
  • Are default passwords/passphrases on access points changed at installation?
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? 
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? 
  • Is anti-virus software deployed on all systems commonly affected by malicious software?
  • Is information security included throughout the software development life cycle?
  • Is the access control system(s) in place on all system components?
  • Are inactive user accounts either removed or disabled within 90 days?
  • Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
  • Is viewing of audit trails limited to those with a job-related need?
  • Are quarterly external vulnerability scans performed?
  • Do security policy and procedures clearly define information security responsibilities for all personnel?

Additional tips

Here are some things you should consider when getting compliant with SAQ D:
  • Track your card data: make sure you know where your card data comes in and out of your business environment
  • Document policies: the more you document your policies and procedures, the more organized your business’s security will be
  • Consider a PCI audit: if you’re not sure you’re compliant, an audit can help you see where you’re lacking in security
  • Train employees: it's crucial that your employees are properly trained on security policies and procedures. 
Need help with PCI compliance? Talk to us!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.