Any organization processing payment card transactions is required to complete an annual PCI DSS compliance attestation. What this attestation process looks like can vary based on merchant level, volume of transactions, etc., but for many campus-based environments, an overall, organization-wide attestation is typically pulled together from a combination of multiple merchant SAQs.
When possible, organizations should direct responsibility for the completion of annual SAQs to the individual merchants. Making merchants accountable for their own individual SAQs provides several advantages:
Merchants are stating that they are indeed meeting the requirements outlined in their reduced scope SAQ. For example, merchants will have to confirm they are performing ongoing inspections of payment card devices, reviewing procedures, training staff, etc.
Identifying potential areas of non-compliance
Merchants have to assess current security posture and identify any potential areas of risk or non-compliance. From there, the PCI team can assist and implement appropriate measures to mitigate risk and protect cardholder data.
Preventing data breaches
Merchants need to understand the required security controls and practices, therefore reducing the risk of unauthorized access, data theft, or other security incidents that can result in financial loss or reputational damage. The SAQ process encourages merchants to evaluate their security controls regularly and implement improvements, therefore reducing the likelihood of an incident.
Maintaining the ability to accept and process cards
Merchants should understand that in order to continue to accept credit card payments, they must fulfill their responsibilities for PCI compliance, which includes an annual SAQ, departmental procedures, staff training, vendor oversight, etc.
Identifying potential areas for scope reduction
A merchant might determine it would be advantageous to move toward the acceptance of online payments only if they are only processing a limited number of card present transactions annually. The annual SAQ cycle provides an opportunity to take a closer look at their processes and identify ways to reduce overall risk.
Too often, PCI is viewed as an IT responsibility, and although Information Technology/Security does have a major role in protecting the systems involved, there are various operational and business requirements that the individual merchant areas should be responsible for. How can an organization empower merchant staff and set them up for success?
Below are a few strategies that can help ensure your merchants have the tools necessary to effectively complete their responsibilities:
Accurate SAQ Assignments
Confirming that merchants are assigned the correct SAQ(s) for their payment method or methods is important. Otherwise, merchants may find themselves down a rabbit hole that has nothing to do with how they are taking payments. Some bank portals can be confusing if merchants don’t understand how to accurately answer the initial questions about their merchant accounts, and they might not be directed to the appropriate SAQ. Giving the PCI team the authority to assign each merchant their individual SAQs eliminates this opportunity for confusion.
Schedule time with your merchants to walk through the SAQs and explain what information should be shared in each field and how to accurately complete each section. Especially with PCI DSS version 4.0, there are new SAQ forms with updated requirements, so ensuring that you are allocating the time to work with the merchants to review the changes together will be critical. Scheduling workshops by SAQ type and involving your QSA provides the merchants with an opportunity to also ask any questions they might have about their specific payment methods and potential areas of non-compliance that can be quickly corrected once discussed.
Sharing SAQ templates and FAQs can also be helpful so merchants can reference this information as they are working to complete the questionnaires. Empower your merchants with as much information as possible.
A committed PCI Team within the organization ensures you not only have a team that is responsible for establishing ongoing compliance, but that merchants also understand where to go with any questions and who they should involve when they are considering a change to their current payment methods or vendors. The PCI Team should be continuously engaged with the merchants through email communications, newsletters, updates, etc., as well as planned merchant visits to review current activities. Having a shared commitment from both the business/finance side and IT on the PCI team will also go a long ways to ensuring success across the organization.
Having a dedicated Qualified Security Assessor (QSA) provides your organization with a credentialed expert to ensure you are interpreting the requirements from the Data Security Standard correctly. A QSA can help define your current cardholder data environment, review payment processes, identify opportunities for streamlining processes and reducing scope, draft policy and procedure documentation, and evaluate third-party service provider relationships. Allowing merchants to connect with the QSA either during a workshop or separately via email or phone can also help alleviate questions that may be directed to the PCI team. Merchants will often view the QSA as a credible resource and may more quickly address any identified issues or gaps. A QSA can also assist with the annual attestation process to your acquiring bank and review and sign off on your Self-Assessment Questionnaires, so your leadership team can feel confident attesting to the organization’s compliance.
The responsibility that comes along with being issued a merchant ID for processing payment cards is important for all merchants to understand. They should also recognize that if just one merchant within your organization is non-compliant, this will impact the entire organization’s ability to remain compliant. Similarly, a data breach that occurs at one campus merchant will have a significant impact on the entire organization’s reputation and ongoing requirements for attestation.
Even if your organization is not submitting individual SAQs, but is only required to provide the acquiring bank and/or card brands with one overall attestation for the organization, internally completing and tracking individual merchant SAQs can ensure that your merchants are doing their due diligence and are accountable for the ongoing support to protect your customers and their payment card information.
Additional feedback from one of our Security Advisors:
[Smith]: One recommended practice is keeping an open channel with your merchants while they are working through their annual SAQs (and ongoing). This allows the PCI team to actively communicate with them during the process and also helps the merchants feel more comfortable asking questions, rather than just checking “Yes” even though they may not be entirely confident in their answer. Setting up meetings with each merchant area or hosting open Q&A sessions can be a great way to connect. This also provides the team an opportunity to discuss other options that may be available, such as new technology provided by the acquiring bank that may benefit a merchant area (and help your organization reduce scope or risk!).
One example I can think of is a mobile handheld terminal for foot traffic during conference registrations and events. Merchants may not be aware that this type of device is readily available to them. Instead, they might develop their own workaround, and you will find out after the fact that they were taking payments on behalf of customers on a laptop or personal phone. Having this open dialogue helps ensure merchants understand all the approved, compliant methods they can take advantage of which helps your team prevent unwanted situations from occurring.