A company’s cybersecurity infrastructure must often meet industry-specific regulatory compliance requirements. While many compliance frameworks apply only to specific sectors, some span broader cross-sections of the market at large. For example, the Payment Card Industry (PCI) framework applies,THE SECURITY STANDARDS COUNCIL (SSC) PRESIDED OVER the to all companies that process, store, or transmit credit card data. Reporting efforts are determined by yearly transaction volume, and those below 20,000 per year must submit annual answers to PCI compliance Level 4 self-assessment questions.
What’s in a PCI Level 4 Self-Assessment?
Understanding what it takes to complete a Self-Assessment Questionnaire (SAQ) for PCI compliance Level 4 first requires knowing the category and control schema. Then, you can sink your teeth into the different documents that might be necessary. You’ll want to familiarize yourself with:
- The PCI Data Security Standards (DSS) goals and requirements
- The PCI DSS implementation and Level-determined reporting requirements
- The different SAQ forms, applicable according to business activity
- Other PCI compliance considerations, such as other PCI frameworks
What is PCI Self-Assessment? Do You Need it?
The SAQ is a critical part of the overall PCI compliance process, required for all companies that process, store, or transmit credit card data.
Companies at Level 4 (i.e., handling 20,000 transactions or fewer per year) only have to self-assess, whereas higher levels need to do so and provide additional documents. However, all PCI-bound companies must submit a self-assessment to avoid penalties regardless of their Level.
Failure to comply with PCI regulations may result in serious short- and long-term consequences. For example, if your company suffers a cybersecurity breach and customers’ cardholder data is compromised, it may be charged $50 to $90 per affected individual. For passive non-compliance, you may be charged escalating monthly fines:
- $5,000 to $10,000 per month for the first three months
- $25,000 to $50,000 per month for four to six months
- $50,000 to $100,000 per month for seven or more months.
Put simply you need to submit your yearly SAQ because non-compliance is expensive.
PCI DSS Framework and Requirements
Before digging into the PCI DSS self-assessment process, it’s critical to understand the framework itself and the context surrounding its requirements. The DSS exists to protect the cardholder data (CHD) of credit and debit users. These protections cover CHD stored, processed, transmitted, and otherwise utilized across all business operations.
The DSS and all other PCI standards are presided over by the Security Standards Council (SSC), which comprises five founding members and other stakeholders. The Founding Members are Visa, Mastercard, American Express, JCB International, and Discover. Strategic Members like Union Pay and the Board of Advisors—comprising representatives from Amazon, Google, and other industry leaders—also contribute to PCI oversight.
Ultimately, self-assessment measures your company’s implementation of the PCI DSS’s requirements and controls. Understanding the SAQ requires knowing what the DSS comprises.
What PCI Controls Do You Need to Implement?
The PCI DSS is currently in version 3.2.1, current as of May 2018. The DSS’s core comprises six “Goals” for cardholder data security that break down into 12 “Requirements.” These are:
- Goal 1 – “Build and maintain a secure network” architecture, per two requirements:
- Requirement 1: Install and update firewall safeguards for cardholder data.
- Requirement 2: Remove and replace all vendor-supplied security settings.
- Goal 2 – “Protect cardholder data” wherever it is, by following two requirements:
- Requirement 3: Protect cardholder data stored by your company.
- Requirement 4: Encrypt cardholder data for transmission over networks.
- Goal 3 – “Maintain a vulnerability management program,” per two requirements:
- Requirement 5: Install and maintain robust antivirus software protections.
- Requirement 6: Develop and maintain secure applications and systems.
- Goal 4 – “Implement strong access control measures,” as in three requirements:
- Requirement 7: Restrict data access according to business need-to-know.
- Requirement 8: Assign unique user IDs to parties with access privileges.
- Requirement 9: Restrict physical access to sensitive records or hardware.
- Goal 5 – “Regularly monitor and test networks,” according to two requirements:
- Requirement 10: Monitor access to networks containing cardholder data.
- Requirement 11: Perform regular tests on security processes and systems.
- Goal 6 – ”Maintain an information security policy,” including just one requirement:
- Requirement 12: Develop and distribute a staff-wide policy to all personnel.
These requirements have remained essentially unchanged since the original publication of version 1.1 in 2006. Version 4.0 is expected to release soon with few projected changes.
Different Levels of PCI DSS Compliance
Concerning the framework detailed above, all companies need to implement all Requirements, regardless of their Level, along with the controls specified for each. Requirements break down into sub-requirements, denoted by additional decimal points. These do not relate at all to PCI Levels, which are determined exclusively by yearly transaction volume.
For example, “Requirement 1” from above appears as “1.0” in the DSS, and it is followed by several sub-requirements (“1.1,” “1.2,” etc.). Each of these then breaks down into Testing Procedures (“1.1.a,” “1.1.b,” etc.), which provide specific metrics companies may use to evaluate their implementation. Specific guidance also accompanies most sub-requirements.
Where there is one difference in PCI Levels is regarding compliance reporting. Companies with the fewest transactions overall need to submit only an SAQ, whereas those with higher volumes need an Attestation of Compliance (AOC), Report on Compliance (ROC), or both.
What Are the Levels for PCI DSS Reporting?
The Founding Members of the PCI SSC are responsible for enforcing the DSS and other PCI frameworks. They also determine what companies must do to comply and what penalties they face for non-compliance. According to Visa’s PCI DSS guidance, there are four PCI DSS levels:
- Level 4 – Merchants who process fewer than 20 thousand e-commerce transactions per year must submit the proper SAQ annually.
- Level 3 – Merchants who process between 20 thousand and one million e-commerce transactions per year must submit an SAQ along with an externally verified AOC annually.
- Level 2 – Merchants who process between one and six million transactions per year across all channels must submit an SAQ along with an externally verified AOC annually.
- Level 1 – Merchants who process over six million transactions per year across all channels must submit an AOC and a ROC verified by a Qualified Security Assessor (QSA).
Critically, these levels scale-up in reverse order, with 4 being the lowest and 1 being the highest in terms of required documentation. With 3 and 2 bearing identical requirements, the biggest leaps are from 4 to 3 (just SAQ to SAQ and AOC) and 2 to 1 (all three: SAQ, AOC, and ROC).
QSAs and ASVs—SSC-Approved Third-Parties
The PCI SSC requires third parties that have received their approval to complete AOCs and ROCs. Approved third parties, including RSI Security, are called Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Though Level 4 doesn’t require third-party involvement, you will need to contact one if your transaction volume increases beyond 20,000 per year.
PCI Self-Assessment Questionnaire (SAQ)
Reporting on PCI compliance for companies at Level 4 can be done entirely in-house. However, many companies still benefit from outside assistance during implementation and assessment. Nonetheless, the PCI DSS SAQ is a relatively straightforward document, beginning with a basic survey about company facts. The second section asks questions about each DSS Requirement and sub-requirement. Requirement questions are answered with one of the following:
- “Yes,” indicating that the company has implemented the control up to the required specifications.
- “Yes with CCW,” indicating that compensating controls help achieve “Yes” outcomes.
- “No,” indicating that neither the Requirement nor a compensating control has been implemented.
- “N/A,” indicating that the Requirement or sub-requirement does not apply to the company.
The end of the SAQ contains appendices for additional information, such as Compensating Control Worksheets (CCWs) and for providing explanations of all “N/A” answers. There is also a section titled “Action Plan for Non-Compliant Requirements,” where companies may indicate remediation efforts and their expected completion date for all “No” answers.
One note: Since PCI compliance Level 4 reporting requires only the SAQ and not an AOC or ROC, this guide will focus on the former rather than the latter two.
How Many PCI DSS SAQ Variants Are There?
Another critical consideration about the PCI DSS SAQ is that there are many form variations, each of which applies to different companies depending on their business activity. There are eight primary SAQ variants:
- SAQ A – For “card not present” (e-commerce or mail/telephone-order) transactions. All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers. No cardholder data is electronically stored, processed, or transmitted on company systems or premises and relies strictly upon confirmed compliant third-party(s) to handle all these functions. Any cardholder data retained is on paper (like receipts) and not received electronically.
- SAQ A-EP – For e-commerce merchants who have outsourced all their cardholder data functions to approved third-parties and maintain a website with no impact on said data.
- SAQ B – For merchants who use one of the following payment technologies exclusively:
- Imprint machines with no capacity for physical or digital cardholder data storage.
- Dial-out terminals with no capacity for physical or digital cardholder data storage.
- SAQ B-IP – For merchants who use standalone, payment transaction security (PTS) compliant terminals with IP connections to the processor but no cardholder data storage.
- SAQ C-VT – For merchants who enter all their transactions manually, one at a time, using a virtual terminal solution with no capacity for electronic cardholder data storage.
- SAQ C – For merchants who use payment applications and systems connected to the internet but do not have or use a capacity for electronic cardholder data storage.
- SAQ P2P-HW – For merchants who use hardware-based payment terminals managed exclusively through a PCI-approved Point to Point Encryption (P2PE) solution.SAQ D – For all parties who fall outside the descriptions listed above, in two categories:
- SAQ D-M: For merchants who do not match any of the descriptions listed above.
- SAQ D-SP: For service providers who don’t match the descriptions listed above.
Other PCI Compliance Level 4 Considerations
As detailed above, the process of filling out the SAQ is relatively straightforward. The most considerable challenges lie in implementing all required controls and selecting the appropriate SAQ. Some companies may also face challenges in mapping controls between additional compliance frameworks they implement simultaneously. PCI DSS is flexible, as companies can utilize compensating controls in some cases, but other compliance frameworks may be less so.
Beyond the initial implementation of these controls, other challenges companies may face involving the long-term maintenance thereof. An SAQ and other documents must be submitted annually, but a PCI SSC audit can happen at any time, so compliance must be upheld year-round. A robust PCI compliance advisory suite should include comprehensive patch reporting and maintenance.
What is Payment Application DSS Compliance?
Yet another challenge companies may face in achieving and maintaining PCI DSS compliance is balancing the 12 Requirements with other controls required by other PCI frameworks. One widely-applicable example is the Payment Application (PA) DSS, which applies to app makers and users. Its Requirements are relatively similar to those of the DSS, comprising 14 in total:
- PA-DSS Requirement 1 – Do not retain “full” data for cards (stripe, PIN, etc.).
- PA-DSS Requirement 2 – Protect all physically or virtually stored cardholder data.
- PA-DSS Requirement 3 – Provide a suite of “secure authentication” features.
- PA-DSS Requirement 4 – Log all cardholder-related payment application activity.
- PA-DSS Requirement 5 – Develop secure payment applications and software.
- PA-DSS Requirement 6 – Protect all wireless transmissions of cardholder data.
- PA-DSS Requirement 7 – Test all payment applications for vulnerabilities and risks.
- PA-DSS Requirement 8 – Facilitate “secure network implementation” for card data.
- PA-DSS Requirement 9 – Store no cardholder data on internet-connected servers.
- PA-DSS Requirement 10 – Ensure easy, secure access to payment applications.
- PA-DSS Requirement 11 – Encrypt cardholder data for traffic over public networks.
- PA-DSS Requirement 12 – Encrypt all “non-console” administrative functionalities.
- PA-DSS Requirement 13 – Develop and distribute training materials for client users.
- PA-DSS Requirement 14 – Assign responsibilities and training materials for staff users.
Critically, companies need to track all data pertinent to these requirements separately from their DSS documentation. There are different reporting protocols for these (and all other) frameworks.
Achieve and Maintain PCI DSS Compliance
Completing your PCI compliance level 4 self-assessment involves first implementing all controls required for DSS adherence and then answering the questions on the SAQ version that fits your business type.
If your company is on the cusp of moving into Level 3 or beyond, it will also need to prepare more thorough documentation. RSI Security will assist in all compliance elements, from assessment through patch management and mapping to other frameworks.
To see how streamlined and powerful your compliance process can be, contact RSI Security today!