PCI DSS SAQ SPoC: What You Need to Know

On 21 September, the PCI SSC (Payment Card Industry Security Standards Council) released a new PCI DSS (PCI Data Security Standard) self-assessment questionnaire: SAQ SPoC.

Here’s what you need to know.


What is SPoC?

SPoC stands for ‘software-based PIN entry on COTS’. In turn, ‘COTS’ refers to a commercial off-the-shelf device like a smartphone or tablet, which is required for using a SPoC solution.

The SPoC solution itself, provided by a third party, comprises:

  • An SCRP (secure card reader for PIN);
  • A PIN CVM (cardholder verification method) application; and
  • A back-end system – a remote service provided by the SPoC solution provider – that monitors the entire SPoC solution for any potentially malicious activity.

The idea of a SPoC solution is that when customers enter their PIN, that data is isolated from other sensitive account data, making it harder for an attacker to breach all data at once, thus improving its security.

Who qualifies for SAQ SPoC?

  1. You must be a merchant, taking face-to-face payments only.
  2. All your payment channels must be fully attended (so no self-checkouts, for example).
  3. Your SPoC solution must be PCI SSC-approved and correctly implemented. This means implementing all controls as outlined in the user guide provided by your SPoC solution provider.
  4. You only take card payments via SCRPs connected to that SPoC solution.
  5. Your SPoC solution isn’t connected to any other systems or networks in your environment.
  6. Outside of that solution, you don’t electronically store or process account data.

In short – the prerequisites are strict. However, the merchants that qualify can significantly reduce their PCI DSS compliance burden.

How challenging is this new SAQ?

Among PCI DSS v4.0 questionnaires, SAQ SPoC is the second shortest. To give you a basic specification:

Number of questions: 22.
High-level requirements: four (requirements 3, 8, 9 and 12).
ASV (Approved Scanning Vendor) scanning: not required.
Penetration testing: not required.

Only SAQ P2PE (point-to-point encryption) is shorter than SAQ SPoC, and even then by just one question.

Compared to SAQ D Merchant, which covers all PCI DSS sub-requirements for merchants, you’re reducing your compliance burden by more than 91%!


Free PDF download: PCI DSS Compliance – Simplifying your SAQ submissions

To learn more about the PCI DSS SAQs, take a look at our free green paper. This details:

  • The benefits of achieving PCI DSS compliance;
  • How to reduce your PCI DSS scope and, by extension, PCI DSS compliance burden; and
  • All the SAQs, along with the number of questions, applicable requirements, prerequisites, and more.


Who is this SAQ intended for?

Predominantly, small face-to-face merchants that prefer to take payments solely through a COTS device. That may be for mobility, presentation or other reasons.

You may wonder why this SAQ was introduced now, in a world where it seems like e-commerce and self-checkouts are becoming increasingly popular.

This is what our QSA (Qualified Security Assessor) Stephen Hancock had to say when we put that question to him:

It was evident that most PCI DSS requirements wouldn’t apply to such merchants, but until now, there’d been no defined subset of requirements they could meet, rather than submitting the arduous SAQ D.

Introducing this new SAQ makes it much easier for them to identify what requirements they must meet and, by extension, makes it more likely that account data is kept secure.

Which SAQ would SPoC merchants likely have submitted in the past?

There was previously no specific SAQ for SPoC solutions, meaning that merchants would likely have had to submit SAQ D Merchant.

Stephen was able to add some nuance:

Where compliance was validated through an external audit, I think a QSA would have drawn on SAQ B-IP, which is designed for merchants using a standalone terminal and PTS POI [PIN transaction security point-of-interaction] devices to process transactions.

The QSA would also have been guided by the PCI SSC guidelines on securely accepting mobile payments. But those don’t outline what specific requirements would apply.

Therefore, in the past, the QSA would probably have created what is, in effect, a new ‘SAQ’. This likely included asking about some things that aren’t in the PCI DSS at all, such as locking down the COTS device. I personally have never come across the scenario in use, however, so this is an educated guess only.

Also bear in mind that because merchants potentially qualifying for SAQ SPoC tend to be smaller organisations, in many cases, no QSA would have been involved. Because of this, it’s likely that merchants would have struggled to identify and comply with their PCI DSS requirements.


PCI DSS Lead Implementer Training Course

The transition deadline for PCI DSS v4.0 is approaching fast: 31 March 2024. Are you prepared?

Why not train with the experts, so you can gain the skills to lead and manage a PCI DSS v4.0 implementation project?

This course, led by an experienced PCI DSS consultant, teaches you:

  • The principles and application of PCI DSS scoping;
  • How to apply the PCI DSS requirements to your organisation;
  • How to create a PCI DSS implementation readiness programme for your SAQ submission or external audit; and
  • Much more.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.