More and more Level 3 and Level 4 merchants are receiving letters from their Acquirers requesting their organization’s PCI compliance documentation. As a Level 3 or 4, organizations are able to complete a Self-Assessment Questionnaire (SAQ) and provide their Attestation of Compliance. It can vary by Acquirer, but most will just request one overall SAQ for the organization. However, it is recommended that campus-based environments extend this concept down to the merchant areas, requiring each merchant area to complete its own discrete SAQ. Depending on each merchant’s payment processes, this may mean completing a simple SAQ A or A-EP (for e-commerce), or one of the more complex Self-Assessment Questionnaires if they are accepting payment cards in person or by phone, or storing cardholder data.
So, who is responsible for completing the SAQs? Does the PCI Team need to go through for each and every MID, and complete a separate form? After all, the PCI Team members are the ones that know what the questions are actually asking, right? Because the members of the PCI Team are so dedicated to their work, we often see you take on extra responsibilities that really can, and should, be turned over to the individual merchant areas.
While there are lots of other tasks you can also assign to the merchants (think policies, procedures, etc.), this article focuses on why it is important to have merchants complete their own Self-Assessment Questionnaires each year.
Throughout the year, the Merchant Managers should really become an extension of your PCI Team and work to ensure that the PCI DSS is being followed within their departments by monitoring the following:
- Payment card handling policies and procedures are in place and conform to the organization’s overarching PCI Policy;
- Payment card operations are actually following the area’s own payment card handling policies and procedures;
- Staff receive annual PCI Awareness training as well as training on department-specific card handling policies and procedures;
- All staff are signing an acknowledgement that they have received the above training, understand the policies and procedures, and agree to comply with them; and
- An annual review of third-party service providers and their PCI compliance status is being conducted.
Based on the above on-going activities, the Merchant Manager really needs to be the PCI expert for their payment area. They know what processes are in place, how staff are handling information, and if new systems or equipment are being considered, etc. The SAQ’s purpose is to help each area self-evaluate their compliance, so the Merchant Manager is the one best equipped to provide accurate answers to the PCI DSS Requirements.
Requiring the Merchant Managers to complete their area’s SAQ will help achieve the following:
- Confirmation that merchant areas are satisfying all of the PCI requirements that apply to their operation and, if they are not, alert the PCI Team to any gaps that require remediation, and
- Additional educational opportunities for Merchant Managers and key staff.
Holding the individual departments/merchants accountable for attesting their own compliance will ensure they have some “skin in the game”. By actively engaging the merchants in this process, they are more likely to care about PCI compliance throughout the year, educate and involve their staff, and start to view PCI as part of their business as usual, versus just some annual bother that occurs when the PCI Team comes around to ask questions. They will also start to think twice before buying a new device or implementing a new solution, and weighing the affect it may have on their department’s PCI compliance status.
Through the use of an online SAQ completion tool, like CampusGuard’s Customer Compliance Portal, the PCI Team can generate an aggregation of the merchant area SAQ information to create the organization-level SAQ which can then be submitted to the bank to report their overall compliance.
Now, I know what you are thinking…how are we ever going to get all of our merchants to complete their own SAQs? If this is your first year going through the process, it will require some hand holding, and you may want to offer to sit with the managers as they fill out their SAQs. Alternatively, you can hold a training session for those who have questions, perhaps grouping them by SAQ type. And, depending on how you are managing the technical aspects (i.e. does each area have their own IT staff?), you may also need to get IT involved to help answer some of the questions. That said, this will become easier each year as the merchants become used to the process, and typically by the third year, we do see things smooth out into a calm, repeatable flow. For additional strategies, please refer to our previous article discussing how to motivate your merchants.
Some additional guidance from our Security Advisor team below:
[Burt]: There are a number of reasons why merchants should complete their own Self-Assessment Questionnaire (SAQ), many of which are mentioned in the above article. Speaking from personal experience (as a former PCI Team member with a higher education institution), one of the most important reasons in my opinion is holding the department/merchant accountable for attesting their own compliance. The PCI team can always work with merchants to confirm policies/procedures exist, training is taking place, third party service provider reviews are taking place, and staff are signing the appropriate acknowledgements. However, there is something about having merchants personally answering the SAQ’s, and the appropriate manager/director signing off saying, “yes, we are definitely doing this.” You would be surprised how much “accurate” work gets completed when individuals and merchants are held accountable for their actions in writing.
The first year will take a great deal of work to get the process ironed out and running smoothly. However, after the process has been implemented, the following years will be much more productive for all parties involved (especially the PCI Team). As always, feel free to contact CampusGuard with any questions about how to make this process successful.