The PCI Security Standards Council (PCI SSC) has announced that with PCI DSS compliance version 3.2 there is valuable information merchants and service providers need to be aware of in relation to Self-Assessment Questionnaires (SAQs).
For those new to PCI DSS compliance, the SAQ is a validation tool intended to assist merchants who are not required to undergo an external on-site security assessment, to self-evaluating their compliance.
Merchants and service providers should contact their merchant bank (acquirer) or the applicable payment brand(s) to understand if they are required to submit an SAQ, and if so, which SAQ is appropriate for their environment.
SAQ A (validation type 1), for instance, deals with card-not-present (e-commerce or mail/telephone-order) merchants, where all cardholder data functions are outsourced.
SAQ B (validation type 2/3) is for imprint-only merchants with no electronic cardholder data or stand-alone terminal merchants.
SAQ C (type 4) is for merchants with POS systems connected to the Internet, no electronic cardholder data storage. And SAQ D (type 5) refers to all other merchants (not included in types 1-4) and all service providers defined by a payment brand as eligible to complete an SAQ.
The PCI SSC says that with the new version the council felt it was necessary to update certain requirements, including reporting SSL/early TLS migration efforts.
Other amendments to the SAQs, says the council, deal with the current data breach threat environment. This includes things like merchant web servers that redirect customers to a third party for payment processing as they continue to be highly targeted by attackers because basic security controls are not being applied. SAQs and A-EP include new requirements to help organisations address this threat.
While no new SAQs have been introduced with the 3.2 version, the council reminds merchants that there are nine SAQs, each one intended to meet a different scenario based on how an organisation stores, processes, or transmits cardholder data.
The key changes, explains the council, look at strengthening authentication, providing greater assurance for merchants that partially outsource their e-commerce environment, and simplifying requirements for merchants using PCI point-to-point encryption solutions.
To find out more about the latest on PCI DSS compliance version 3.2, download this free eBook called An insight into PCI DSS compliance version 3.2.