Does your company take credit cards? Have you been confronted by your bank or card processor to complete a PCI-DSS SAQ and determine if you need an ASV or an audit by a QSA? If you have, don’t worry. Many have and can’t tell heads nor tails of what all of this means. The purpose of this little blog post is to simply define these things. Future posts will dive into each and why they exist.
What is PCI-DSS?
PCI stands for the Payment Card Industry. The Payment Card Industry is a conglomeration of the various credit card processors, most notably Visa, Master Card, American Express, Discover etc that have come together to self regulate the industry.
DSS stands for Data Security Standards. As the PCI is an effort to self regulate, they required a bank of standards that each organization that uses their services must comply with. The published Data Security Standards, now on version 3.1 (3.2 to be released in the spring of 2016) are a group of 12 categories that contain a couple of hundred standards that must be met in order for a merchant or provider to remain in good standing and continue accepting credit cards. The DSS are governed and determined by the Security Standards Council (SSC).
An SAQ is not the Pounding of my Quarterback.
An SAQ is a Self Assessment Questionnaire. The SAQ is the first step towards a full Report of Compliance (ROC). Most merchants only need to be concerned with completing the SAQ. The SAQ is essentially the portion of the DSS that your company is responsible for and is asking you, as the merchant, to disclose how you protect the cardholder data. There are multiple SAQ’s and choosing the right one depends upon how many of the questions you have to answer and how much are to be answered by your hosting provider or third party service provider. You can determine which version is right for you by reviewing the options at the PCI site. Most electronic (website merchant) customers will use either SAQ A or SAQ A-EP.
Do I need a ROC?
Likely not, unless you are a big time processor or service provider with collection, storage and processing occurring in your data center. The ROC is a Report of Compliance and is only issued after a Qualified Security Assessor has done a thorough assessment of your environment and you comply with the DSS.
Do I need to have a QSA complete my SAQ and or ROC?
A QSA is a Qualified Security Assessor, a big title for “auditor,” that has been specifically trained to assess PCI environments and is authorized to issue PCI approval statements.
QSA’s come in two forms, QSA Companies and QSA Employees. QSA Companies are those that meet standards and have been approved to audit a merchant against the DSS. A QSA employee is a qualified assessor that works for a QSA Company and has been trained and certified by the PCI. A QSA employee MUST be employed at a QSA company. If a person comes to you and says they are a QSA, ask them what company they work for and look up their credentials on the PCI site.
A QSA is not required to complete the SAQ, you can do that internally within your organization and requires only the expected knowledge of your IT environment. It may be helpful to hire a Security or IT Consultant with some experience to help you complete and SAQ.
If a QSA or our Internal Staff Conducts the Assessment, Why Do I need an ASV?
An ASV is an Approved Scanning Vendor. An ASV has nothing directly to do with an SAQ or QSA. PCI Requirements direct that any website hosting or processing PCI data, and the environments touching it, must be scanned for vulnerabilities (Requirement 11.2). As with other aspects of the program, one cannot just scan things themselves and claim all is well. Only those authorized to scan can do so.
An ASV you contract with will scan your in scope systems and provide a report. You are required to “pass” at least each quarter. Most companies run them monthly so that if there are issues, they can be corrected before the next scan.
To find out which companies are ASV’s, please see here.
PCI-DSS Compliance is not hard, but it can be confusing. As with most IT and security items, knowing the definitions of acronyms is half the battle. We hope this little blog here will give you a good start. Stay tuned to future posts as we dig into other PCI-DSS issues.