Blog single

PCI DSS SAQ D For Merchants/Service Providers That Store Cardholder Data Electronically

SAQ D PCI compliance for merchants/ service providers

Self-Assessment Questionnaire (SAQ) D refers to a long set of assessment questionnaires in the Payment Card Industry (PCI) applicable for merchants/ service providers. It focuses on safeguarding electronic card data that enterprises store, process, and use for transmitting. In other words, PCI DSS SAQ D is an eligibility criterion for merchants and service providers that do not meet other PCI SAQ types (A-EP, B, B-IP, C, C-VT, or P2PE).

PCI DSS SAQ D is the most complete amongst the other questionnaire types as it entails almost every provision connected to PCI DSS standard requirements. Merchants/service providers looking for self-attestation need to review all the necessities, follow the procedures, and develop policies and practices towards completing the Attestation of Compliance.

Service providers that process fewer than 300,000 card transactions yearly, can utilize the SAQ form and avail a Report on Compliance. On the other hand, if the number of transactions exceeds beyond 300,000, they need to conduct a separate PCI DSS Audit and obtain a ROC. In simple terms, if you are a merchant/ service provider that pools credit card information, PCI SAQ D will apply to you.

PCI DSS SAQ D: Who qualifies as a service provider?

All entities involved in the direct processing, storage, and transferring of cardholder data on behalf of other companies apply to PCI DSS, ensuring the required data protection. Situations that imply you are an SAQ D service provider are;

-If they host another organizations e-commerce website/system

-If they process cardholder information on behalf of another organization

-If they manage security services or handle any related services connected to the cardholder environment

SAQ has different types, and service providers must ensure which one of them typically matches their requirements. SAQ has built the types specifically, and

organizations need to have a clear idea while selecting SAQ types. If no additional requirements encircle you, you must comply with SAQ D by default.

PCI DSS SAQ D: Who qualifies as a merchant?

As pointed out earlier, SAQ D is applicable for merchants that do not meet or encircle other SAQ type criteria. PCI SAQ D merchants environments uncover certain domains but are not limited to;

-Merchants that store cardholder data electronically

-E-commerce companies that hold cardholder information on websites

-Companies that don’t hold cardholder information and do not meet or fall under any other SAQ types

-Merchants that can fall under or meet other SAQ types but have additional requirements for their environment

PCI DSS SAQ D: Requirements

PCI SAQ D has 329 questions. They are grouped and segmented according to 12 different PCI DSS requirements. The grouping and division have made the process flexible for organizations to reach their corresponding responses. SAQ D enlists twelve of the PCI DSS requirements;

1. Build and maintain a firewall configuration to protect the data.

2. Avoid vendor-supplied defaults for passwords and other security parameters

3. Safeguard stored cardholder data

4. Encrypt cardholder data transmission across open and public networks

5. Secure all systems against malware and update anti-virus software regularly

6. Develop and uphold secure systems and applications

7. Shield cardholder data access according to business requirements

8. Identify and inspect access to the system components

9. Restrict physical access to cardholder data

10. Monitor all access to cardholder data

11. Test security systems and applications regularly

12. Keep a policy that ensures information security for all personnel

Conducting network vulnerability scans

PCI DSS SAQ D requires merchants/service providers to conduct quarterly external network vulnerability scans and internal network vulnerability scans. These scans get performed as a way of detecting the vulnerabilities when a change is affected. Any unauthorized access to the network/system can affect the internal architecture connected to the corporate network. Conducting regular

internal inspections can aid organizations to correct the findings and mitigating any risks that pop out.

Conducting penetration tests

Any merchants/ service providers who use segregation methods to segment and divide cardholder data need to conduct penetration testings. Penetration tests get performed after six months or when a change gets implemented on the segmentation controls. The main intention behind performing penetration tests is to determine if your cardholder environment is secure from unauthorized actions or intrusions.

How is PCI DSS SAQ D completed?

Merchants/ service providers need to determine the type of PCI DSS requirement as a part of ensuring cardholder data protection. As depicted earlier, the SAQ D form consists of 329 questionnaires that require a valid response. It can be a ‘Yes’, ‘No’, ‘Not Applicable’ or ‘Not Tested’. You can only pin a single response for each question.

A ‘Yes’ denotes that the organization have undergone the expected testing, and all requirements have been satisfied as stated.

A ‘Yes with CCW’ denotes that the organization have undergone the expected testing with the aid of a compensating control.

A ‘No’ denotes some or all parts of the requirements are not met or are under the implementation phase and requires further testing.

A ‘N/A’ denotes that the requirement does not apply to the organization’s environment.

A ‘Not Tested’ denotes that the requirement was not a part of the assessment and not tested.

Steps to follow with the self-attestation procedure are;

  1. Finding the accurate and applicable SAQ for your environment
  2. Validating if the environment scope is accurate enough for the SAQ type requirements
  3. Assessing your cardholder data environment with the proportional PCI DSS requirements
  4. Finishing the SAQ D form by answering all required sessions with clarity
  5. Connecting the SAQ and AOC alongside producing any other documents requested by the recipient

AOC or Attestation of Compliance form is the final audit report given by a qualified security auditor to validate that the business is in line with the PCI. The report is a validation/proof against PCI DSS compliance.

Some common questionnaires in SAQ D

Out of the 329 questions in PCI DSS SAQ D, here are some of the common questions that seek your valid response;

  • Is PAN information masked when displayed as a way of uncovering it only to the legitimate personnel?
  • Do the cardholder stored information meet the requirements stated in the data retention policy?
  • Are the data retention and disposal policies implemented as per the requirements?
  • Is there a genuine way to validate and test changes to network configurations, firewalls, and network connections?
  • Are strong cryptographic techniques and security protocols used to protect sensitive cardholder information exchange on public networks?
  • Are the access control policies and systems placed in all components?
  • Are you performing quarterly external vulnerability scans?
  • Is there a process or way to identify security vulnerabilities?
  • Is information security incorporated in the software development life cycle?
  • Is two-factor authentication integrated for remote network access?
  • Is appropriate facility control incorporated to limit and monitor physical access to the cardholder environment?
  • Are audit trails involved and active for your system components?
  • Are security policies published, maintained, and distributed to relevant personnel?

Relevant tips for merchants/service providers

  • Having your cardholder data environment or network segmented and separated from the rest of your network architecture is significant while looking for PCI DSS compliance.
  • Make sure you have a solid security architecture for your cardholder environment by putting sufficient security controls, policies and strategies required for the protection.
  • Let all your security policies and procedures go well documented and inspected so that they could act as a baseline while deploying security controls or changing them in the future.
  • Take the aid of a qualified security auditor or consultant if you are unfamiliar with PCI DSS. While looking for PCI SAQ for e-commerce websites, it is always

beneficial to have an expert advisory for implementing security practices and controls for the same.

Summing up

Card data is valuable information that requires security and protection while processing, handling, or transferring. It flies over the internet, gets captured by card scanners, and is ultimately gathered by online payment forms. Protecting this information has become mandatory for merchants and service providers. The PCI standard sets guidelines for organizations while handling credit card payments or maintaining cardholder data electronically. Taking the expert guidance and aid of a well-qualified security assessor has made it flexible for organizations to identify the type of self-assessments required in the PCI standard for their business. In a nutshell, effective compliance with PCI standard guidelines has led to the successful completion of the applicable SAQs for merchants/service providers.