01Jul, 2016

PCI DSS/ Security Compliance

PCI DSS compliance version 3.2 – what’s new with SAQs

The PCI Security Standards Council (PCI SSC) has announced that with PCI DSS compliance version 3.2 there is valuable information merchants and service providers need to be aware of in relation to Self-Assessment Questionnaires (SAQs).

For those new to PCI DSS compliance, the SAQ is a validation tool intended to assist merchants who are not required to undergo an external on-site security assessment, to self-evaluating their compliance.

Merchants and service providers should contact their merchant bank (acquirer) or the applicable payment brand(s) to understand if they are required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

SAQ A (validation type 1), for instance, deals with card-not-present (e-commerce or mail/telephone-order) merchants, where all cardholder data functions are outsourced.

SAQ B (validation type 2/3) is for imprint-only merchants with no electronic cardholder data or stand-alone terminal merchants.

SAQ C (type 4) is for merchants with POS systems connected to the Internet, no electronic cardholder data storage. And SAQ D (type 5) refers to all other merchants (not included in types 1-4) and all service providers defined by a payment brand as eligible to complete an SAQ.

The PCI SSC says that with the new version the council felt it was necessary to update certain requirements, including reporting SSL/early TLS migration efforts.

Other amendments to the SAQs, says the council, deal with the current data breach threat environment. This includes things like merchant web servers that redirect customers to a third party for payment processing as they continue to be highly targeted by attackers because basic security controls are not being applied. SAQs and A-EP include new requirements to help organisations address this threat.

While no new SAQs have been introduced with the 3.2 version, the council reminds merchants that there are nine SAQs, each one intended to meet a different scenario based on how an organisation stores, processes, or transmits cardholder data.

The key changes, explains the council, look at strengthening authentication, providing greater assurance for merchants that partially outsource their e-commerce environment, and simplifying requirements for merchants using PCI point-to-point encryption solutions.

To find out more about the latest on PCI DSS compliance version 3.2, download this free eBook called An insight into PCI DSS compliance version 3.2.

Related Articles

The benefits of mandatory data breach notification laws in Australia

Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitive information. And i

Read More

Cost of data breach report (with Australian Statistics)

Ponemon Institute 2013 Cost of Data Breach report The 2013 Cost of Data Breach report published by the Ponemon Institute (sponsored by Symantec) revea

Read More

How to survive a data breach

In the past two years, LinkedIn, eHarmony, Twitter, Adobe and, most recently, Target have suffered data breaches that together exposed more than 120 m

Read More

Credit card data discovery tools lay the foundation for good data security

Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of da

Read More