Organisations that accept card payments are responsible for the security of customers’ payment information and must comply with the PCI DSS (Payment Card Industry Data Security Standard).
The PCI DSS is a set of requirements that helps organisations protect payment card data. It applies to anyone that transmits, processes or stores such information, meaning no one is exempt from its rules.
In fact, SMEs (small and medium-sized enterprises) need to be particularly vigilant, because a data breach could have serious long-term effects and may even threaten their ability to stay in business.
Challenges for SMEs
The PCI DSS is complex, with 12 compliance requirements based on common information security practices.
The key to compliance is identifying and securing the points where cardholder information could be compromised. These might include compromised card readers, hard copies of records in a filing cabinet, a weak database or a network vulnerability.
You may have already addressed these weaknesses as part of your GDPR (General Data Protection Regulation) compliance practices, in which case you’ll have a lot less work on your hands.
Indeed, the GDPR and the PCI DSS cover a lot of similar areas, so compliance with one will help with the other. However, they are not exactly alike – the PCI DSS contains more prescriptive technical requirements, for example.
To demonstrate compliance with these requirements, you must audit the cardholder data environment. There are two types of audits:
- Roc (Report on compliance): completed by a PCI QSA organisation, such as IT Governance, or by an internal security assessor. This usually applies to companies with complex cardholder data environments.
- SAQ (self-assessment questionnaire): signed off by an officer of the merchant or service provider. This usually applies to companies with less complex cardholder data environments.
Report on Compliance or self-assessment?
Whether you are required to complete a RoC or a self-assessment questionnaire depends on several factors:
- The type of organisation (merchant or service provider);
- The volume of annual transactions; and
- The payment channels adopted.
Additionally, each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own compliance requirements, and they establish the eligibility criteria for SAQ or RoC.
The RoC involves a third-party auditor visiting your organisation and reviewing your compliance practices.
We explain the process in our free green paper, PCI Audit Success in Nine Essential Steps, which also contains our top tips to help identify what the auditor will look for and how you can avoid unnecessary delays.
By contrast, the SAQ – as the name suggests – can be performed internally by your team.
There are different types of SAQ that apply in different circumstances:
- SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
- SAQ A-EP: For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
- SAQ B: For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
- SAQ B-IP: For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
- SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
- SAQ C: For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
- SAQ D: For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale. There are two versions of SAQ D: one for merchants and one for service providers.
Additionally, merchants that use card-present transactions should complete SAQ P2PE-HW.
Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for this SAQ.
How to complete an SAQ
Although the concept of a self-assessment sounds straightforward, each form contains hundreds of questions that require an in-depth understanding of the PCI DSS.
So although the SAQ gives you a framework that can be used to achieve compliance, you still need an expert to oversee the process.
Those looking to understanding their requirements should take a look at our PCI DSS Foundation Course.
This one-day course provides a comprehensive introduction to the Standard and delivers practical guidance on how it applies to certain organisations.
You’ll learn what’s required for compliance before your organisation undergoes an assessment, and receive real-world examples to demonstrate the challenges you’ll face and how to overcome them.
A version of this blog was originally published on 11 June 2019.