One of the most widely applicable regulatory compliance frameworks is the Payment Card Industry (PCI) Data Security Standard (DSS). All companies that process credit card payments—up to six million annual transactions—need to fill out a PCI Self Assessment Questionnaire (SAQ) to comply.
File a PCI Self Assessment Questionnaire in Three Steps
Unless your company avoids credit card transactions entirely, it needs to be PCI DSS compliant. There are three basic steps to reporting on compliance via PCI SAQ:
- Performing a readiness assessment to understand what you’ll need to do to comply
- Implementing all PCI controls across the 12 Requirements of the PCI DSS framework
- Answering all questions on the appropriate SAQ and verifying the answers
RSI Security’s compliance advisory services can help your company with all PCI Self Assessment Questionnaire steps.
Step 1: Perform a PCI DSS Readiness Assessment Analysis
You’ll need to establish two factors before beginning your PCI DSS self assessment questionnaire journey. The first involves the kinds of documentation you need to verify compliance. According to Visa’s PCI guide, there are four Levels for PCI DSS reporting:
- PCI Level 4 – Merchants who process fewer than 20 thousand e-commerce transactions annually (or up to one million transactions on all channels) must file just a SAQ annually.
- PCI Level 3 – Merchants who process 20 thousand to one million annual e-commerce transactions must file both a SAQ and an Attestation of Compliance (AOC) annually.
- PCI Level 2 – Merchants who process one to six million transactions annually across all channels (including e-commerce and others) must file both the SAQ and AOC annually.
- PCI Level 1 – Merchants who process over six million transactions annually across all channels must file a Report on Compliance (ROC), along with the AOC, annually.
The other critical factor is your company’s readiness for PCI DSS implementation, which measures the infrastructure you’ll need to build out to accommodate the 12 controls within the PCI DSS framework. A preliminary patch availability report can accomplish this task.
Step 2: Install All Controls Per PCI DSS’s 12 Requirements
The next step is the most robust and intensive. It involves augmenting existing cybersecurity architecture and building out any new elements to account for all the controls in the PCI DSS.
The most recent version, PCI DSS V3.2.1, is available via the PCI Document Library upon consenting to a licensing agreement. There are 12 Requirements, spread across six goals:
- Goal 1: Maintain Secure Networks and Systems
- Requirement 1: Maintain firewall configurations to protect cardholder data.
- Requirement 2: Replace all vendor-supplied or default security settings.
- Goal 2: Protect All Sensitive Cardholder Data
- Requirement 3: Protect all cardholder data that exists in company storage.
- Requirement 4: Encrypt cardholder data for traffic on unsecured networks.
- Goal 3: Manage Vulnerability Programmatically
- Requirement 5: Install and maintain antimalware and antivirus software.
- Requirement 6: Maintain security of developed systems and applications.
- Goal 4: Implement Access Control Measures
- Requirement 7: Restrict cardholder data access to by business need.
- Requirement 8: Authenticate identity for access to system components.
- Requirement 9: Restrict physical or proximal access to cardholder data.
- Goal 5: Monitor and Test Networks Regularly
- Requirement 10: Monitor all network access involving cardholder data.
- Requirement 11: Test security systems and processes at regular intervals.
- Goal 6: Formalize an Information Security Policy
- Requirement 12: Maintain a formal security policy addressing all personnel.
Once all controls are in place, the only remaining step is documenting them via the SAQ.
Step 3: Answer all SAQ Questions and Verify Your Answers
The last step involves surveying all systems to ensure all controls meet the 12 Requirements detailed above. The SAQ form is rather straightforward; it asks for a direct “yes” or “no” answer about each control. However, your company must choose the appropriate SAQ to submit depending on your business activities:
- SAQ A – For merchants that fully outsource cardholder data functions to third parties
- SAQ A-EP – For merchants that use a third-party website for cardholder data processes
- SAQ B – For merchants that use dial-out or imprint machines with no electronic storage
- SAQ B-IP – For merchants that use IP-connected terminals with no electronic storage
- SAQ C-VT – For merchants that use web-based terminals with no electronic storage
- SAQ C – For merchants that use internet-connect systems with no electronic storage
- SAQ P2PE-HW – For merchants that use an approved point to point encryption tool
- SAQ D-M / D-SP – For all other merchants (D-M) and Service Providers (D-SP)
All companies except those at PCI Level 4 must retain the services of a Qualified Security Assessor (QSA) like RSI Security to verify their compliance reporting via AOC or ROC forms. All QSAs are approved by the PCI Security Standards Council.
RSI Security: Rethink Your PCI Compliance and Cyberdefense
Completing a PCI compliance questionnaire requires assessing readiness, implementing required controls, and reporting and verifying PCI DSS compliance.