By Michael Petitti
In February 2008, the Payment Card Industry (PCI) Security Standards Council (SSC) released version 1.1 of the Self Assessment Questionnaire (SAQ) and announced a sunset date of April 30, 2008, for SAQ version 1.0.
The PCI SSC updated SAQ to align more closely with the PCI Data Security Standard (DSS). The questionnaire was also condensed so merchants are only obligated to answer questions relevant to their particular network. (For more information, see "On track with a new SAQ," The Green Sheet, Feb. 25, 2008, issue 08:02:02)
Depending on the merchant level, it's likely many of your merchant customers use SAQs to validate their compliance with the PCI DSS. The card brands require all merchants be compliant with the PCI DSS. However, they only require that level 1, 2 and 3 merchants validate that fact.
Level 1 merchants must undergo an annual on-site PCI data security assessment and quarterly network scans. Those in levels 2 and 3 must complete SAQs annually and also undergo quarterly network scans. (For more information, see "SAQ changes: Knowing them is imperative," by Ross Federgreen and Ken Musante, The Green Sheet, March 24, 2008, issue 08:03:02)
Currently, the card Associations leave validation requirements for level 4 merchants to the acquirers. The card Associations strongly recommend that level 4 merchants complete SAQs annually and undergo network scans quarterly, but they do not require validation. However, some acquirers do require their level 4 merchants to validate. Regardless, many of your merchants have probably used the SAQ or should be introduced to it because it is an effective tool for measuring PCI compliance.
The sunset date is especially important to your smaller merchant customers whose SAQs may soon expire. Until the closing date, merchants can choose which version of SAQ to complete, and it will remain valid for one year. If merchants' SAQs expire after April 30, 2008, they will need to complete version 1.1.
However, if their SAQs are set to expire before the sunset date, it may still be advantageous for them to complete version 1.1, as some variants consist of significantly fewer questions than version 1.0. To consolidate the process as much as possible and ensure the questionnaire's relevancy, the PCI SSC created four variants of SAQ version 1.1 that apply to different types of merchants.
Variant A consists of 11 questions. Merchants who are eligible to complete SAQ version 1.1 A will possess the following qualifications:
Variant B consists of 21 questions. Merchants who are eligible to complete SAQ version 1.1 B will possess the following qualifications:
Merchants can also qualify for version 1.1 B if they:
Variant C consists of 38 questions. Merchants who are eligible to complete PCI SAQ version 1.1 C will possess the following qualifications:
Variant D consists of 226 questions, one for each requirement subcategory in the PCI DSS. Service providers and any merchants who do not qualify for any of the other variants qualify for SAQ version 1.1 D. In addition, each variant now includes a signature page that requires merchants to attest they are eligible to complete that particular variant of the questionnaire and all of the answers they provide are truthful and accurate.
With this change, now is a good time to speak with your customers about PCI compliance and validation procedures. You could also consider expanding your portfolio to offer them quarterly network scans by partnering with a company that specializes in compliance management solutions for the payments industry.
Michael Petitti is Chief Marketing Officer of Trustwave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next