Ruston Miles, Chief of Product Innovation, Bluefin
PCI’s Self-Assessment Questionnaire (SAQ) is often misunderstood and misused, even by long-time bankcard veterans. I can’t tell you how many times I’ve found myself explaining to very astute organizations the basic concepts about who should fill out a SAQ and which one to complete.
It can be confusing, I’ll admit, but once you know the basics – it makes ferreting out the correct course of action pretty simple. Let’s start with a couple of facts:
- company that touches a credit card, even for a split second, is required to be completely PCI Compliant
- company that is required to be PCI Compliant must be assessed annually
Some companies have told me that because they don’t store credit card numbers and just send them in real-time on to their bank or payment gateway, they are not required to be PCI Compliant. This is simply not true. If your company is breached and cardholder data (CHD) is exposed, a forensic investigation will take place. And I can guarantee you that Visa, MasterCard, Discover, American Express and the other card brands won’t give a single second of thought to the argument of “oh we didn’t know that we had to be compliant… we were only transmitting cards, not storing them.”
The brands have clearly stated that any entity that “stores, transmits, or processes” cardholder data is in scope for the PCI DSS. And while every entity that touches a card must be assessed annually, the card brands allow smaller entities to self-assess while larger entities must use a Qualified Security Assessor (QSA). At the end of the day, each entity (merchant or service provider) must sign-off on their compliance whether they self-assess or hire a QSA to perform the assessment. This sign-off is called the Attestation of Compliance (AOC).
In my experience, assessments by a QSA range anywhere from $8,000 to $50,000, depending on the size, scope, and number of locations to be assessed. I’ll blog on the assessment experience another time; I have personally been involved in about ten assessments for service providers and payment applications.
There are three questions you have to answer in order to know which SAQ is right for you:
- Identity: Are you a merchant, a service provider, or a payment application provider?
- Size: If you are a merchant or service provider, how many Visa transactions do you run per year?
- Scope: How and to what extent do you store, transmit, or process cards?
In part 2 of this blog, I’ll post in-depth details on each of these SAQ-scoping criteria. In the meantime, check out our page on PCI Compliance for more details on Bluefin’s experience in this area.