SAQs, responsibilities and Obligations

Written by Dick Hacking | Sep 4, 2020 4:00:00 PM

The PCI SSC (Payment Cards Industry Security Standards Council) allows for some organizations that handle payment card data (merchants and their service providers) to complete a Self Assessment Questionnaire (SAQ) and associated Attestation of Compliance (AOC) to the PCI Data Security Standard (DSS) rather than get a full onsite assessment and Report on Compliance (ROC) from a Qualified Security Assessor (QSA). A QSA can still be engaged to assist with the details of completing the appropriate SAQ; however, unlike in a full ROC, the organization is attesting to its own compliance rather than seeking the independent opinion of a QSA.

While doing a self-assessment you may think to yourself, what is the benefit of having a QSA involved? Well, the QSA brings a breadth and depth of knowledge and experience about the standard and about the validation process that can guide you through the process. Not only will they help you get it done right, but should also help you make choices that are smart for your business. A QSA can advise on which SAQ to use, how the standard should be interpreted in the context of your environment, what evidence should be kept available in case of a review by your  acquirer or the card brands, the suitability of the controls in place, and can help you determine which parts of the standard apply to your specific environment.

Depending on how you handle card data, you need to choose the SAQ type that applies to your environment. While most SAQs reduce the number of questions that need to be answered and do not ask for specific evidence of compliance, you are still required to comply with the parts of the standard that do apply to you. In most cases, by choosing the correct SAQ type, the questions you need to address are only the ones that make sense. If you were getting a full ROC assessment, the other questions would be marked as“Not Applicable” anyway, so they are simply removed from the SAQ template.

What often gets glossed over when people have completed their own SAQ’s is whether the organization has understood its obligations, and performed all the compliance and validation tasks necessary for whoever is reading the SAQ to be able to rely on it.

For example, Requirement 12.11 demands that service providers review every quarter that policies and procedures are being followed. So if you are a service provider and all of your card data handling has been outsourced to another service provider, who needs to perform this review? You? Your partner? Both of you? It appears that in fact, you both do as you are both responsible for having certain policies and procedures. But it's easy to just mark that as not applicable by mistake because you are fully outsourced.

If requirement 11 about testing applies in the SAQ you are using, there is an obligation to have performed all the correct types of testing at the correct cadences, and for 11.2.2 to obtain the ASV attested certificate describing the testing performed and whether the environment passed all the tests. As a reminder, if all the tests for requirements 6.5, 6.6, 11.2.1, 11.2.2, and 11.2.3 apply, there should be a minimum of 21 sets of test results for each year. 

There is another ramification of SAQs if you are relying on a Service Provider who provides an SAQ as their evidence of compliance. Requirement 12.8.4 says “Verify that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.” While a full ROC-based AOC can reasonably be expected to have been independently assessed for compliance, an SAQ has not been. Note that the requirement does not talk about collecting an AOC and you’ll be fine - the guidance specifically talks about making sure you have confidence that all the controls are in place to ensure your service provider’s ongoing compliance. Your duty is to monitor compliance - not to just collect an SAQ or ROC.

People filling out SAQs also often check ‘yes’ for incident response plans, risk assessments, and responsibility matrices because their service provider must do them - even though they likely have a duty to do such documents themselves as well.

A final encouragement to ensure that you’ve met all the requirements for completing an SAQ is that your acquirer might actually call you and give you the great news that you just crossed over an annual threshold of card transactions, and as your reward, demand a full ROC forthwith. Now you are working with a QSA but this time they are assessing you and not helping you. If you don’t already have the infrastructure, governance, and evidence to layout, it might take longer than you expected to fulfill the acquirer’s demand. That can be expensive not only in the form of fines and penalties assessed by the acquirer, but also by the disruption caused by a sudden and pressing need to build a compliance and validation program correctly.

Truvantis is a QSA company with an experienced staff that is well-positioned to advise you on any aspects of PCI compliance. Please contact us if you have any comments or questions.