PCI SAQ Certification Process in 10 Easy Steps
Please review the following steps regarding the PCI DSS compliance certification process for the Self-Assessment Questionnaires (SAQ) for merchants and service providers:
1. Determine Appropriate Merchant and Service Provider Level. Before you begin down the road of the PCI DSS compliance certification process for Self-Assessment Questionnaires (SAQ) A – D, P2PE-HW, please confirm that your transaction processing levels actually allow “self-assessing”. Simply view the various levels for Merchants (Levels 1 to 4) and Service Providers (Levels 1 and 2 only), which can be found at pcipolicyportal.com under the “Merchants” and “Service Providers” tabs on the homepage. Once you’ve done this, and are given the “green light”, then move to step 2.
2. Determine which Self-Assessment Questionnaire (SAQ) to use. There are numerous PCI DSS Self-Assessment Questionnaires – specifically – the following: SAQ A, SAQ B, SAQ C, SAQ C-VT, SAQ D, and SAQ P2PE-HW. Moreover, each one of these Self-Assessment Questionnaires (SAQ) contains numerous PCI DSS compliance requirements – some which are considered relatively simple and straightforward (i.e., SAQ A), while others require a considerable amount of work to be done (i.e., SAQ C, SAQ C-VT, and D). The best way to determine which one of the SAQ questionnaires to actually use for compliance is to simply visit pcipolicyportal.com and find the “SAQ A – D” tab on the homepage, which will provide detailed information on each of the following below referenced questionnaires.
• SAQ A for Merchants (Card-not-present merchants, with all Cardholder Data functions being outsourced).
• SAQ B for Merchants (Merchants with only imprint machines, or only stand-alone, dial-out terminals, with NO electronic cardholder data storage).
• SAQ C for Merchants (Merchants with payment application systems connected to the Internet, but with NO electronic Cardholder Data storage).
• SAQ C-VT for Merchants (Merchants using web-based virtual terminals, with NO electronic Cardholder Data storage).
• SAQ D for Merchants and Service Providers (for all other Merchants not included in the descriptions for SAQ A – C-VT, and for ALL service providers defined by a payment brand as being actually eligible to complete a Self-Assessment Questionnaire (SAQ), and the accompany Attestation of Compliance (AOC).
• SAQ P2PE-HW for Merchants (Merchants using only hardware payment terminals included in a PCI SSC-listed, validated, P2PE solution, with NO electronic cardholder data storage.
Simply review the “Requirements for allowing Merchants” paragraph on each of the above sections to see if you in fact meet the stated requirements for utilizing the applicable questionnaire.
3. Download the official SAQ Questionnaire and Attestation of Compliance (AoC). The Payment Card Industry Security Standards Council (PCI SSC) is the official organization ultimately responsible for the development, management, education, and awareness of the PCI Security Standards. Their website, pcisecuritystandards.org, contains all essential PCI publications, including the actual SAQ Questionnaires and related forms. Simply visit the official PCI Security Standards Council website, and click on “PCI Standards & Documents”, then on the left-hand side, click on “Documents Library”, and finally, click on the“SAQs” tab, which is located on the top horizontal menu bar. When you arrive on this page you’ll see a list of Self-Assessment Questionnaires, so simply pick the applicable SAQ and download the Microsoft Word document. Don’t forget that when you download the applicable SAQ document, also included is the “Attestation of Compliance” (AoC), which will must eventually be completed (more on the AoC in a moment).
4. Thoroughly Review the Applicable SAQ Questionnaire. The PCI DSS compliance certification process for Self-Assessment Questionnaires now truly begins in earnest. Specifically, it’s time to thoroughly read whichever SAQ document you downloaded (A – D, or P2PE-HW) and begin to truly understand what’s needed for PCI compliance. Policies, procedures, and processes – that’s ultimately what PCI is all about – so it’s important that various personnel are assigned specific roles and responsibilities for assisting with compliance.
5. Purchase PCI Policies and Procedures from pcipolicyportal.com. You’ll need assistance with PCI compliance, and that’s where we come in. Every one of the PCI Self-Assessment Questionnaires (SAQ) – from A to D, and P2PE-HW – ultimately requires organizations to develop documented PCI policies and procedures for compliance – it’s a strict mandate. Your solution is the PCI policies and procedures developed exclusively by pcipolicyportal.com for each of the following PCI SAQ reporting mandates for merchants and service providers:
• SAQ A for Merchants
• SAQ B for Merchants
• SAQ C for Merchants
• SAQ C-VT for Merchants
• SAQ D for Merchants and Service Providers
• SAQ P2PE-HW for Merchants
Purchase and immediately download your PCI Policies Packet today for SAQ A, B, C, C-VT, D, and P2PE-HW.
6. Get Compliant. Again – policies, procedures, and processes – that’s what PCI compliance is all about, so do what’s needed to become compliant. The policies purchased from pcipolicyportal.com help in a big way, but there are other operational and technical demands, so pull together the necessary resources for whichever PCI DSS SAQ you need to be compliant with. Ultimately, this means reading the entire SAQ document, and doing exactly as it says, checking the boxes along the way (literally) as you’ve complete each step.
7. Conduct Vulnerability Scans and Penetration Testing, if Necessary. Please note that your organization may have to undergo annual penetration tests and vulnerability scans for compliance, so please keep this in mind. For an ounce of clarity, just remember the following:
• PCI SAQ A – No vulnerability scans or penetration tests necessary.
• PCI SAQ B – No vulnerability scans or penetration tests necessary.
• PCI SAQ C – Vulnerability scans are required, but No penetration tests.
• PCI SAQ C-VT – No vulnerability scans or penetration tests necessary
• PCI SAQ D – Vulnerability scans are required, along with penetration tests.
• PCI SAQ P2PE-HW – No vulnerability scans or penetration tests necessary.
If you need to conduct vulnerability scans, then simply use our trusted provided, Clone Systems. They’re a high-quality provider of PCI scanning services, and they’ve also offered our clients a discount. Here’s how it works. Simply visit Clone Systems and enter “ppp” into the “Coupon Code” field during the checkout process, and you’ll receive 10% off scanning services.
8. Complete the Attestation of Compliance. More commonly known as the AoC, this document was included within the actual Self-Assessment Questionnaire (SAQ) you downloaded, and it’s to be completed once all the requirements for your applicable SAQ have been met. This document is often requested by payment processors, gateways, acquiring banks, customers, prospects and other interested parties wanting evidence of actual PCI DSS compliance and certification. Remember, the notion of “self-assessing” is easier said than done, as quite a bit of work can be involved, so be sure to seek out resources as necessary. For PCI policies and procedures, that trusted source is none other than pcipolicyportal.com.
9. Stay Compliant. The Payment Card Industry Data Security Standards (PCI DSS) are a “moving target”, something that organizations should be focusing on throughout the year. Set aside the notion of “one and done”, because PCI compliance is a commitment that should never cease.
10. Practice What You Preach. You’ve spent considerable amount of time developing policies, procedures, and other standardized processes for PCI compliance, so follow them and stick to the best practices of information security!
We understand that you’ve got a business to run and compliance with today’s ever-growing laws, regulations, and industry specific mandates – such as PCI – are not always high on the list of “to do” items. That’ll have to change – especially for PCI – as payment processors, acquiring banks, along with many other entities in the payment industry, are getting serious about compliance with the Payment Card Industry Data Security Standards (PCI DSS) provisions. PCI compliance can be a little overwhelming at first – we more than understand – it’s why we’ve provided industry leading policies, procedures, and supporting documentation to get you moving in the right direction. We also provide hourly consulting services if you still have questions about the “who, what, when, where, and why” of PCI – contact us today to learn about pricing and how we can help.