So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do you turn?
You’re in luck. Did you know the Payment Card Industry Security Standards Council (PCI SSC) has a rich assortment of frequently asked questions (FAQ)? Easily found at https://www.pcisecuritystandards.org/faqs, you can perform a keyword search or you can select from categories, like: “SELF ASSESSMENT QUESTIONNAIRE (SAQ)”. The FAQs are arranged by article number, which are what we in the QSA community use when referencing the FAQ in text. The FAQs are the culmination of 14 years of questions out of the PCI Data Security Standard (DSS) ecosystem. Useful information right at your fingertips.
There are quick links to “Newly Added,” “Most Popular,” and “Most Recently Updated” so you can keep up with changes to the website. These are helpful to get you started. You can also set up an RSS feed and get notified when changes are made to the site. There is a “Contact Us” link on the main page that allows submitting a question to the PCI SSC.
A few examples that you might search:
- Article #1091, "What are acceptable formats for truncation of primary account numbers?”
- In the response, you can see acceptable formats for the various PAN and BIN lengths. Spoiler alert: First6/last4 is what is written in the PCI DSS.
- Article#1065, “Should service providers demonstrate PCI DSS compliance as part of their client's assessment or in their own separate assessment?”
- The option is up to the service provider. They can have their own assessment and provide proof of compliance to their customers, or they can have multiple assessments when requested by their customers. Which one do you think would be easier?
- Article #1473, “What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?”
- This FAQ goes into detail on the role of acquirers in shaping the assessment, and an explanation of “Not Applicable” or “Not Tested.” Be careful of “Not Tested,” that can be an instant fail if it’s a QSA led assessment with a ROC and AOC. An assessor cannot attest to full compliance if any requirements were not tested as part of the assessment.
- Article #1455, “Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?”
- In there you’ll see that the PCI SSC has structured the assessment process around the QSA observing physically on the client’s site, but they do acknowledge mitigating circumstances may preclude a physical onsite, and remote assessing may be necessary.
Qualified Security Assessors (QSAs) use the FAQ for the same reasons as merchants do - We keep up with the FAQs as a means to address questions that arise in the assessment process. They are that universal and will be helpful as you negotiate all things PCI.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Drew Cathey has been a member of the SecureTrust team for five years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.