Home Compliance StandardsPCI DSS How to Complete a PCI Self Assessment Questionnaire
PCI DSS

How to Complete a PCI Self Assessment Questionnaire

by RSI Security
written by RSI Security

One of the most widely applicable regulatory compliance frameworks is the Payment Card Industry (PCI) Data Security Standard (DSS). All companies that process credit card payments—up to six million annual transactions—need to fill out a PCI Self Assessment Questionnaire (SAQ) to comply.

 

File a PCI Self Assessment Questionnaire in Three Steps

Unless your company avoids credit card transactions entirely, it needs to be PCI DSS compliant. There are three basic steps to reporting on compliance via PCI SAQ:

  • Performing a readiness assessment to understand what you’ll need to do to comply
  • Implementing all PCI controls across the 12 Requirements of the PCI DSS framework
  • Answering all questions on the appropriate SAQ and verifying the answers

RSI Security’s compliance advisory services can help your company with all PCI Self Assessment Questionnaire steps.

 

Step 1: Perform a PCI DSS Readiness Assessment Analysis

You’ll need to establish two factors before beginning your PCI DSS self assessment questionnaire journey. The first involves the kinds of documentation you need to verify compliance. According to Visa’s PCI guide, there are four Levels for PCI DSS reporting:

  • PCI Level 4 – Merchants who process fewer than 20 thousand e-commerce transactions annually (or up to one million transactions on all channels) must file just a SAQ annually.
  • PCI Level 3 – Merchants who process 20 thousand to one million annual e-commerce transactions must file both a SAQ and an Attestation of Compliance (AOC) annually.
  • PCI Level 2 – Merchants who process one to six million transactions annually across all channels (including e-commerce and others) must file both the SAQ and AOC annually.
  • PCI Level 1 – Merchants who process over six million transactions annually across all channels must file a Report on Compliance (ROC), along with the AOC, annually.

The other critical factor is your company’s readiness for PCI DSS implementation, which measures the infrastructure you’ll need to build out to accommodate the 12 controls within the PCI DSS framework. A preliminary patch availability report can accomplish this task.

 

Request a Free Consultation

 

Step 2: Install All Controls Per PCI DSS’s 12 Requirements

The next step is the most robust and intensive. It involves augmenting existing cybersecurity architecture and building out any new elements to account for all the controls in the PCI DSS.

The most recent version, PCI DSS V3.2.1, is available via the PCI Document Library upon consenting to a licensing agreement. There are 12 Requirements, spread across six goals:

  • Goal 1: Maintain Secure Networks and Systems
    • Requirement 1: Maintain firewall configurations to protect cardholder data.
    • Requirement 2: Replace all vendor-supplied or default security settings.
  • Goal 2: Protect All Sensitive Cardholder Data
    • Requirement 3: Protect all cardholder data that exists in company storage.
    • Requirement 4: Encrypt cardholder data for traffic on unsecured networks.
  • Goal 3: Manage Vulnerability Programmatically
    • Requirement 5: Install and maintain antimalware and antivirus software.
    • Requirement 6: Maintain security of developed systems and applications.
  • Goal 4: Implement Access Control Measures
    • Requirement 7: Restrict cardholder data access to by business need.
    • Requirement 8: Authenticate identity for access to system components.
    • Requirement 9: Restrict physical or proximal access to cardholder data.
  • Goal 5: Monitor and Test Networks Regularly
    • Requirement 10: Monitor all network access involving cardholder data.
    • Requirement 11: Test security systems and processes at regular intervals.
  • Goal 6: Formalize an Information Security Policy
    • Requirement 12: Maintain a formal security policy addressing all personnel.

Once all controls are in place, the only remaining step is documenting them via the SAQ.

laptop

Step 3: Answer all SAQ Questions and Verify Your Answers

The last step involves surveying all systems to ensure all controls meet the 12 Requirements detailed above. The SAQ form is rather straightforward; it asks for a direct “yes” or “no” answer about each control. However, your company must choose the appropriate SAQ to submit depending on your business activities:

  • SAQ A – For merchants that fully outsource cardholder data functions to third parties
  • SAQ A-EP – For merchants that use a third-party website for cardholder data processes
  • SAQ B – For merchants that use dial-out or imprint machines with no electronic storage
  • SAQ B-IP – For merchants that use IP-connected terminals with no electronic storage
  • SAQ C-VT – For merchants that use web-based terminals with no electronic storage
  • SAQ C – For merchants that use internet-connect systems with no electronic storage
  • SAQ P2PE-HW – For merchants that use an approved point to point encryption tool
  • SAQ D-M / D-SP – For all other merchants (D-M) and Service Providers (D-SP)

All companies except those at PCI Level 4 must retain the services of a Qualified Security Assessor (QSA) like RSI Security to verify their compliance reporting via AOC or ROC forms. All QSAs are approved by the PCI Security Standards Council.

 

RSI Security: Rethink Your PCI Compliance and Cyberdefense 

Completing a PCI compliance questionnaire requires assessing readiness, implementing required controls, and reporting and verifying PCI DSS compliance.

RSI Security has helped companies achieve PCI compliance for over a decade. Our team of experts will help with the PCI self assessment questionnaire and all other elements—contact us to get started!

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

How to Make Use of the PCI DSS...

August 21, 2023

How Does PCI DSS 4.0 Affect Payment Facilitators?

June 5, 2020

Breaking Down the PCI Logging Requirements

October 13, 2022

How to Keep Data Secure for Cardholders (PCI...

July 23, 2018

Does a P2PE validated application also need to...

June 5, 2018

Protect Cardholder Data With Antivirus Software

July 23, 2018

Who Must Comply with PCI standards?

April 11, 2018

Will PCI DSS Regulations Change Post-COVID?

July 27, 2020

Your Guide to PCI Vulnerability Scan Requirements

June 23, 2021

Can card verification codes be stored for recurring...

April 18, 2018

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More