Now that data breaches seem to be the order of the day for merchants of all sizes and sales volumes, it makes more sense than ever to take aggressive steps to protect the sensitive data of cardholders who purchase goods and services. Since the credit card industry is equally motivated to safeguard both customers and sellers, its PCI Security Standard Council has developed a compliance questionnaire. This tool, known as the pci dss self assessment questionnaire, serves as a vital way to demonstrate credibility and engender customer trust.
PCI Self Assessment: What is PCI Compliance?
In 2006, the major credit card providers (Visa, MasterCard, Discover, American Express and JCB International) established the PCI Security Standards Council to standardize and regulate the industry and to ensure that payment security was uniformly protected. The standards this body formulated and adopted have become accepted now to the extent that any business that stores, transmits or processes credit card data must be in compliance with them. Although the possibility of data breaches can never be ruled out entirely, PCI compliance minimizes the liability that businesses suffer if they do occur. In order to become PCI compliant, businesses must conduct an annual pci self assessment questionnaire.
Why should your business be PCI compliant?
Although undergoing a yearly pci compliance questionnaire might seem like an unnecessary bureaucratic exercise, it provides several benefits to your company. Although reduced liability in the event of a data breach is probably the primary advantage of PCI compliance, it is not the only one. Companies that fail to adhere to the industry standards can be subjected to whopping penalties from the credit card industry that can amount to as much as $500,000. Perhaps more disastrous still, your bank might end its relationship with you, leaving you out in the cold and unable to complete any credit card transactions. In the worst case scenario, you could land in the dreaded Visa/MasterCard Terminated Merchant File, the kiss of death that can lock you out of being able to get another merchant account for several years. It probably goes without saying, but doing all you can to promote data security in your company is good for everyone involved, particularly you.
Fundamentals of the PCI DSS SAQ
The specific type of pci compliance survey you complete depends on the size of your company. The Security Standards Council breaks down the categories as follows:
- Level 4 businesses process less than 20,000 e-commerce transactions and less than 1 million regular transactions per year. A PCI compliance questionnaire must be completed each year, and quarterly PCI compliance scans may also be necessary.
- Level 3 companies are mid-sized and make between 20,000 and 1 million transactions annually. They must complete a PCI DSS self-assessment questionnaire each year and may also be mandated to have quarterly PCI compliance scans.
- Level 2 companies are larger, conducting between 1 and 6 million transactions annually. As with smaller companies, an annual SAQ is required, and quarterly PCI scans by an authorized vendor may also be necessary.
- Level 1 companies are the largest of all. These corporations and major retailers are required to have an annual internal audit (Report on Compliance) that is conducted by a PCI-approved auditor. Quarterly PCI scans may also be required.
Choosing the right SAQ
As the above business levels show, not all merchants are alike, and self-assessment questionnaires differ accordingly. Consider the following options to see where your business fits:
- SAQ A for “card not present” merchants who use PCI compliant third-party providers to handle all of their data.
- SAQ A-EP for merchants who partially outsource their data processing to a third-party, PCI compliant provider.
- SAQ B for merchants who do not use electronic storage for cardholder data and use imprint-only machines or stand-alone terminals to make all credit card transactions.
- SAQ B-IP for merchants who do not store cardholder data electronically and use stand-alone PTS-approved devices with IP connections to payment processors.
- SAQ C for merchants who do not store cardholder data electronically and take payments using an internet-connected device.
- SAQ P2P E for merchants who use PCI SSC-approved point-to-point encryption payment terminals to process payments.
- SAQ D is for all retailers who do not meet the criteria for any of the other SAQ categories.
If you are still unsure about which of these questionnaires to complete, TrustNet PCI Qualified Security Assessors (QSA’s) are available to help you complete the compliance process.
In order to guide merchants through the assessment process, the PCI Security Standards Council has developed six milestones that merchants can use when completing self-assessment questionnaires. These include the following:
- Keep data retention to a minimum and get rid of all sensitive authentication data.
- Make sure your wireless and internal networks are protected from outside attack.
- Ensure that your card payment applications are secure, including controls, servers, hardware and software.
- Monitor and control who, when, where and how your systems and cardholder data environment are accessed.
- Ensure that you have mechanisms in place to safeguard any stored cardholder data.
- Ensure that all security measures and controls are in place so that your policies, processes and procedures fully protect cardholder data in a PCI-compliant way.
These guidelines are excellent benchmarks that you should use as you complete your pci dss saq.
As a business owner, you should consider the completion of a pci saq to be as important as filing your taxes. Your annual compliance includes an attestation document that is delivered along with your self-assessment survey. It verifies to anyone who is interested that, to the best of your ability, your sensitive customer data is safe and secure. Think of PCI compliance as a safety net that shields you and your customers from most data breach dangers and minimizes your liability should the worst occur. In today’s constantly changing commercial milieu, you can’t be too careful.