The annual Self-Assessment Questionnaire (SAQ) used for attesting PCI compliance can be a bit overwhelming at first glance. Whether it is the first year you are completing an SAQ, or your tenth year of attesting compliance, it is not uncommon to feel a little uncertain about the answers you are providing. If you have merchants who are not well versed in PCI, they may struggle even more to understand the terminology and answer questions accurately for their locations.
Below are some of the more common questions we see from merchants during the annual SAQ completion process:
Which SAQ should a merchant complete?
The payment channels (e.g. in person, over the phone, etc.) and whether or not cardholder data is being stored are the two key criteria used to determine which SAQ the merchant needs to fill out. For example, if they don’t have a storefront and all of the products / services are sold online through a third party, they would most likely qualify for SAQ A or SAQ A-EP. If they are accepting payment cards in person, as well as online, and they also store customer payment card data, then they would be an SAQ D merchant. Below is a table illustrating each of the SAQ types. CampusGuard recommends consulting with your QSA to accurately determine the correct SAQ for each merchant on campus. This is a good exercise to both help verify the SAQ assignment is correct, but also potentially uncover some areas that may benefit from scope reduction.
When should an SAQ be completed?
This will often be determined by your acquirer. If you have been asked by your bank/acquirer to attest compliance, they will likely have also given you a specific date. Going forward, this will be the date on which they will be expecting your annual update. We recommend that you define an annual cycle that includes training, pen testing, SAQ completion, etc., with all quarterly and monthly tasks also being scheduled accordingly. It is helpful to have merchants complete their annual PCI training requirement first so they are up to date on any changes within the DSS and their responsibilities for compliance are fresh in their minds. Then, you can have them walk through the SAQ for their area.
Do I have to be able to answer YES to every question within the SAQ to be compliant?
In order to attest PCI compliance, you must be able to answer YES or NA to every requirement within the assigned SAQ.
The option of Compensating Controls may be considered when a merchant cannot meet a requirement explicitly as stated due to a legitimate technical or documented business
constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: 1) meet the intent and rigor of the original PCI DSS requirement; 2) Provide a similar level of defense as the original PCI DSS requirement; 3) Be above and beyond the PCI DSS requirements; and 4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. For each compensating control, the merchant must complete a corresponding Compensating Control Worksheet, documenting how the specified control meets the above four criteria, as well as how the control will be maintained. After that worksheet has been prepared, it must be formally accepted by the merchant’s acquirer. Compensating controls are often only approved for a single year with the expectation that the merchant will be able to meet the control as written in the future. A Compensating Control, with permission/approval from your acquiring bank, is acceptable within a compliant SAQ.
Unfortunately, one NO answer turns your compliant SAQ into a non-compliant SAQ, however, the priority is always that all questions must be answered honestly and accurately. By partnering with the merchant during SAQ completion process, you should be able to help them successfully remediate any areas identified as non-compliant.
Confusion is also common regarding the following questions within the SAQ:
What should we provide for the “Description of Payment Card Business” (Part 2b)?
Merchants are often unclear as to how much information to provide in this section. CampusGuard recommends providing a high level overview of how cardholder data flows in your business and how (and which) third parties are involved. Part 2b is looking for a description of how payment cards are handled in your environment. Your description should include the processes and procedures for storing, processing, and/or transmitting cardholder data (CHD). Respond to each of the three key areas, for example, “we do not store CHD at any time” and “we use PTS-approved swipe terminals” (consider including the actual terminal type). The response here should give the reader a good idea of how payment cards are handled by the merchant area.
Does the organization use one or more payment applications (Part 2d)?
This is another question that is often met with confusion. A Payment Application is a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, and where the payment application is off-the-shelf software and is installed on the merchant’s premises. PA-DSS does NOT include custom software created just for the merchant or software that is hosted by a PCI -validated third-party service provider that maintains the payment application.
Does your business use network segmentation (Part 2e)?
Merchants may need to involve IT resources on this question, but basically, network segmentation refers to any physical or logical separation between devices that handle
cardholder data and are in PCI scope from those systems that are not in scope for PCI compliance. If there are any firewalls, routers, or other systems in place that restrict network
traffic to or from the systems within the merchant area and between the remainder of the campus network, you would answer “Yes” to this question.
Who completes and signs off on the SAQ (Part 3b)?
If you are having each of your merchants complete an individual SAQ/AOC, then the assigned merchant manager will complete and sign the SAQ/AOC for their area. The institution’s overall SAQ/AOC that is submitted to the acquirer is generally signed by the executive responsible for PCI compliance (i.e. CFO, Treasurer, CIO, etc.)
Going through the exercise of completing SAQs with your merchants provides an opportunity to educate them while enhancing their view of you as an advocate. If your institution is working towards PCI compliance, use this review as input to your roadmap to determine where to focus your efforts moving forward. It can also be used to measure progress and provide your leadership team with updates on your compliance status. Once you achieve compliance, the SAQ becomes your checklist for maintaining compliance as it includes the security controls and requirements that should be part of your business as usual efforts.
If you have any questions on merchant SAQ assignments or questions as you are planning to launch your annual SAQ completion process with your merchants, please reach out to your CampusGuard Team for recommendations and suggested best practices.
Some additional guidance from our Customer Relationship team below:
[Cobb]: I prefer the idea of having the specific merchant area (typically the manager of the department accepting payments) be responsible for completing their own SAQ on an annual basis. In my opinion, it makes the department have some “skin in the game” and further enhances the importance of following departmental procedures, knowing and understanding the organizations payment card policies, and having employees take PCI training annually. Knowing they will have to ultimately answer and attest to these requirements on a SAQ, hopefully helps to keep PCI compliance in mind as they go about their daily tasks.
I also tell my customers to make sure merchants answer their SAQ honestly. While it is easy to say “I wish we were compliant” or “we hope to be compliant soon”, the SAQ is a snapshot in time. The issue is, if you’re attesting compliance and then a data breach would occur and was caused by something you were attesting as compliant, but in truth was not…there are going to be difficult questions to answer to a forensic investigator and to your acquiring bank. Better to answer honestly and if there are “No” responses (non-compliant answers), use those answers to help drive your PCI project plan in order to achieve compliance.