PCI Self-Assessment Questionnaires Need Some Major Updates

Written by Walter Conway
July 21st, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

The PCI Council has stated that it is reexamining its four Self-Assessment Questionnaires (SAQs). Level 2 through Level 4 Merchants use an SAQ to validate their compliance. Although I have no insight into what possible changes or even new versions might come from the Council, I have some suggested changes that reflect both current attack vectors and real-world business practices.

Even though QSAs spend a lot of time preparing Reports on Compliance (ROCs) for their Level 1 Merchants and Service Providers, most of us also work with many merchants who self-assess their compliance. Interestingly, some of these merchants can be quite large organizations but with only limited payment card activity. For these merchants, the PCI Council developed three simplified SAQs that are based on how they process card transactions.

Merchants use SAQ A if they outsource their card processing to a compliant third-party service provider. The requirements to use this SAQ are: You have card-not-present (i.e., MOTO, E-Commerce) transactions exclusively; you do not store, process or transmit any cardholder data yourself; your service provider is PCI compliant; any cardholder data is only on paper; and you store no cardholder data electronically.

The general model of an SAQ A merchant is one with a Web site that links to a hosted order page at a secure third party. Cardholders are transferred to that secure hosted page to enter their card data and then returned to the merchant’s site after the transaction is approved or rejected.

In my perfect world, I would like to see two changes to this SAQ. First, I would like the SAQ to stipulate that the service provider is not just PCI compliant (as a service provider, of course; not as a merchant) but that it is a Level 1 Service Provider. My reasoning is that SAQ A merchants depend on their service providers. I want those service providers to have an outside assessment of their compliance.

My second suggestion deals with the merchant’s own Web server. I would like it to be scanned for external vulnerabilities, and I want the code redirecting the customer to the hosted order page to be inspected. Each of these tests would be done quarterly. The basis for this suggested change is an excellent Data Security Alert posted by Visa Europe. In that alert, Visa describes attacks on SAQ A merchants where the bad guys have hacked the merchant’s server and installed their own code to redirect customers to their criminal site instead of the service provider’s site. I would change SAQ A to make this attack less likely to succeed.

I would also like to see a note in the instructions to SAQ A to address mail order/telephone order (MOTO) transactions. It should say merchants cannot do MOTO and still qualify for SAQ A. For example, if the customer can’t get to the Web or has some other problem, the merchant cannot use its computer to go on the Web and enter that customer’s card number for him or her. In addition, the merchant just turned its workstation into a payment terminal, and heaven knows what has just been done to its PCI scope. I see this situation so often I coined a name for it: SAQ A OMG.

I regret having to make life more complicated for these merchants. But we all need to remember that although you can outsource your processing, you cannot outsource your responsibility.

SAQ B presents a different challenge. Merchants use SAQ B when they either have an imprinter (a.k.a., knuckle-buster or zip-zap machine) or use POS terminals “connected via a phone line” to their acquirer or processor. That terminal cannot be connected to the Internet or to any other system in the merchant’s environment. Like SAQ A, the merchant retains only paper records and does not store electronic cardholder data.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.