A Thing
The Green SheetGreen Sheet

Friday, February 8, 2008

On track with a new SAQ

The payments industry's increasing, and necessary, focus on data security has caused significant grumbling about the Payment Card Industry (PCI) Data Security Standard (DSS), but a new set of questionnaires for merchants to use with PCI self-assessments could alleviate some of the irritation.

The PCI Security Standards Council (SSC), which is charged with managing the PCI DSS, PCI PIN Entry Device Security Requirements and the Payment Application (PA) DSS, has updated its Self Assessment Questionnaire (SAQ).

The SAQ is an essential validation tool used by merchants and service providers to demonstrate compliance with the PCI DSS. The revamped SAQ is designed to simplify and streamline the assessment process and aid small and mid-size merchants who are not required to have on-site PCI compliance assessments. The new SAQ comes in four updated versions tailored specifically for different categories of card acceptors.

The upside is that many merchants will no longer have to answer questions about card processing and security systems that don't apply to them.

Conversely, the questions probe harder for weak spots in payment processing software applications – a vulnerable area that some experts believe hasn't received proper attention thus far.

The updated SAQ also aims to bring self-assessments in line with version 1.1 of the PCI standards. "Inconsistencies between the SAQ and the DSS 1.1 have been addressed," said a PCI SSC representative.

PCI SSC General Manager Bob Russo said with the introduction of the updated SAQ, "merchants will now have a better understanding for the steps necessary to secure their payment data and comply with the PCI DSS."

The new SAQ is available now at www.pcisecuritystandards.org/tech/saq.htm. Its four distinct versions include:

  • SAQ A: Designed to address requirements applicable to merchants who have outsourced all of their payment card data storage, processing and transmission functions

  • SAQ B: Created for merchants who still process card transactions with imprinters or use standalone, dial-up terminals only

  • SAQ C: Constructed to focus on merchants whose payment application systems are connected to the Internet

  • SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by versions A, B or C.

The PCI SSC's Web site also contains comprehensive guides and a list of links to help merchants and their service providers better navigate through PCI's murky waters. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing