A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

April 14, 2008 • Issue 08:04:01

SAQ sun sets on smaller merchants

By Michael Petitti

In February 2008, the Payment Card Industry (PCI) Security Standards Council (SSC) released version 1.1 of the Self Assessment Questionnaire (SAQ) and announced a sunset date of April 30, 2008, for SAQ version 1.0.

The PCI SSC updated SAQ to align more closely with the PCI Data Security Standard (DSS). The questionnaire was also condensed so merchants are only obligated to answer questions relevant to their particular network. (For more information, see "On track with a new SAQ," The Green Sheet, Feb. 25, 2008, issue 08:02:02)

Depending on the merchant level, it's likely many of your merchant customers use SAQs to validate their compliance with the PCI DSS. The card brands require all merchants be compliant with the PCI DSS. However, they only require that level 1, 2 and 3 merchants validate that fact.

Level 1 merchants must undergo an annual on-site PCI data security assessment and quarterly network scans. Those in levels 2 and 3 must complete SAQs annually and also undergo quarterly network scans. (For more information, see "SAQ changes: Knowing them is imperative," by Ross Federgreen and Ken Musante, The Green Sheet, March 24, 2008, issue 08:03:02)

Currently, the card Associations leave validation requirements for level 4 merchants to the acquirers. The card Associations strongly recommend that level 4 merchants complete SAQs annually and undergo network scans quarterly, but they do not require validation. However, some acquirers do require their level 4 merchants to validate. Regardless, many of your merchants have probably used the SAQ or should be introduced to it because it is an effective tool for measuring PCI compliance.

The sunset date is especially important to your smaller merchant customers whose SAQs may soon expire. Until the closing date, merchants can choose which version of SAQ to complete, and it will remain valid for one year. If merchants' SAQs expire after April 30, 2008, they will need to complete version 1.1.

However, if their SAQs are set to expire before the sunset date, it may still be advantageous for them to complete version 1.1, as some variants consist of significantly fewer questions than version 1.0. To consolidate the process as much as possible and ensure the questionnaire's relevancy, the PCI SSC created four variants of SAQ version 1.1 that apply to different types of merchants.

SAQ version 1.1 A

Variant A consists of 11 questions. Merchants who are eligible to complete SAQ version 1.1 A will possess the following qualifications:

  • Only accept card-not-present transactions
  • Outsource all functions involving cardholder data
  • Store only paper reports or receipts with cardholder data
  • Do not process or transmit any cardholder data on premises
  • Must attest that they use a PCI DSS-compliant service provider

SAQ version 1.1 B

Variant B consists of 21 questions. Merchants who are eligible to complete SAQ version 1.1 B will possess the following qualifications:

  • Only accept transactions through an imprint machine
  • Do not transmit cardholder data over a phone line or the Internet
  • Store only paper reports or receipts with cardholder data
  • Do not store any cardholder data in electronic format

Merchants can also qualify for version 1.1 B if they:

  • Only accept transactions via a stand-alone, dial-out terminal connect to a processer via phone line
  • Do not connect the terminal to any other system or the Internet
  • Store only paper reports of receipts with cardholder data
  • Do not store any cardholder data in electronic format

SAQ versions 1.1 C and D

Variant C consists of 38 questions. Merchants who are eligible to complete PCI SAQ version 1.1 C will possess the following qualifications:

  • Accept transactions via an Internet-connected payment application, meaning the application is installed on the computer or connects to the Internet to transmit cardholder data
  • Do not connect the payment application to any other system
  • Only allow remote support of the application to be performed in compliance with information security best practices
  • Store only paper reports or receipts with cardholder data
  • Do not store any cardholder data in electronic format

Variant D consists of 226 questions, one for each requirement subcategory in the PCI DSS. Service providers and any merchants who do not qualify for any of the other variants qualify for SAQ version 1.1 D. In addition, each variant now includes a signature page that requires merchants to attest they are eligible to complete that particular variant of the questionnaire and all of the answers they provide are truthful and accurate.

With this change, now is a good time to speak with your customers about PCI compliance and validation procedures. You could also consider expanding your portfolio to offer them quarterly network scans by partnering with a company that specializes in compliance management solutions for the payments industry. end of article

Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at mpetitti@atwcorp.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

New Products
A Thing