Wednesday, March 13, 2013

PCI DSS Self-Assessment

PCI-DSS requires you to be compliant if you store, transmit, or process credit cards.

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.

There are multiple versions of the PCI DSS SAQ to meet various business scenarios. A chart to help you determine which SAQ best applies to you and how to complete the SAQ is linked below, and is also included in the Instructions and Guidelines Document.




A "SAQ" of "Self Assessment Questionnaire" is the questionnaire required by the payment associations of Visa®, MasterCard®, Discover® Network and American Express® which assist merchants in becoming compliance with the PCI DSS. According to the Associations, all merchants and service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below and described in more detail in the following paragraphs.





SAQ-A applies if
  • You handle only card-not-present (e-commerce or mail/telephone-order) merchants
  • You do not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on third party service provider(s) to handle all these functions
  • You have confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant
  • You retain only paper reports or receipts with cardholder data, and these documents are not received electronically (no data storage of cardholder data)
SAQ-B is for merchants who use card-reading devices with no data storage of cardholder data.
SAQ-C is basically for businesses that use Point-of-Sale computing systems or virtual terminals.
SAQ-D is for everyone else.

References


Sponsor Ads

No comments:

Post a Comment