JustinGSEIWI
asked on
PCI DSS SAQ C requirements
I am overlooking the new PCI SAQ C that just came out. Looking at the document that is titled " Which SAQ Best Applies to My Environment?" I noticed that for SAQ C, these two requirements are listed.
Payment aplication ssytem/internet device not connected to any other systems
Single store location
The single store location requirement is new to this SAQ C. Can anybody provide me with specific answers to these two requirements?
I have five store locations, does this mean I have to fill out SAQ D now?
My POS systems are on the same LAN as the rest of my internet connected computers. Does this mean I have to segment them somehow? If I do, how do I do that while still enabling remote management such as group pollicy and anti virus?
Thanks,
Justin
Payment aplication ssytem/internet device not connected to any other systems
Single store location
The single store location requirement is new to this SAQ C. Can anybody provide me with specific answers to these two requirements?
I have five store locations, does this mean I have to fill out SAQ D now?
My POS systems are on the same LAN as the rest of my internet connected computers. Does this mean I have to segment them somehow? If I do, how do I do that while still enabling remote management such as group pollicy and anti virus?
Thanks,
Justin
In addition, PCI 2.0 will not become law until Jan-1st 2012.
-rich
-rich
Well, to nitpick a bit, PCI 2.0 will never become law, hopefully. :)
The transition period when merchants and service providers are able to use either v1.2 or v2.0 starts 1.1.2011, and starting from 1.1.2012 all new audits must use v2.0.
The actual differences between 1.2(.1) and 2.0 are minuscule, at least if you ask the Council. Out of the 130 or so changes in the new version only 2 are marked are "evolving requirement", the rest are either "clarifications" or "additional guidance". The major impact for most clients coming from this new version is the possible new interpretations of the requirements, not changes in their intention. This also means it really makes little difference whether you use v1.2 or v2, since almost all of the requirements are essentially exactly the same.
The transition period when merchants and service providers are able to use either v1.2 or v2.0 starts 1.1.2011, and starting from 1.1.2012 all new audits must use v2.0.
The actual differences between 1.2(.1) and 2.0 are minuscule, at least if you ask the Council. Out of the 130 or so changes in the new version only 2 are marked are "evolving requirement", the rest are either "clarifications" or "additional guidance". The major impact for most clients coming from this new version is the possible new interpretations of the requirements, not changes in their intention. This also means it really makes little difference whether you use v1.2 or v2, since almost all of the requirements are essentially exactly the same.
ASKER
The funny thing is, my acquiring bank contact seems to know little about PCI. She must contact someone else to get answers that they still don't seem sure of.
For example, I know I am supposed to submit everything to my acquirer, they told me that I only need to submit if they request it. My bank contact contacted the payment processor they use and they said they need nothing from us as well.
They basically dodge the questions and point me somewhere else.
All that aside, I know I don't store credit card data electronically after processing of the card. We use Microsoft RMS and I know it is PCI compliant.
I just want to confirm that I am only supposed to fill out SAQ C. That single store guideline through me through a loop as to whether I qualify for SAQ C or not. Add that to segmenting the network and I was sure I had to fill out D. The way they word them is confusing as to weather or not those guide lines are optional.
Can you elaborate on the single store guide line?
Thanks for your comments.
Justin
I can segment two location with VLANs but the other three don't have managed switches so I am not sure if I can segment them properly. In either case, I would still follow scope with the rest of my network since it is good practice.
For example, I know I am supposed to submit everything to my acquirer, they told me that I only need to submit if they request it. My bank contact contacted the payment processor they use and they said they need nothing from us as well.
They basically dodge the questions and point me somewhere else.
All that aside, I know I don't store credit card data electronically after processing of the card. We use Microsoft RMS and I know it is PCI compliant.
I just want to confirm that I am only supposed to fill out SAQ C. That single store guideline through me through a loop as to whether I qualify for SAQ C or not. Add that to segmenting the network and I was sure I had to fill out D. The way they word them is confusing as to weather or not those guide lines are optional.
Can you elaborate on the single store guide line?
Thanks for your comments.
Justin
I can segment two location with VLANs but the other three don't have managed switches so I am not sure if I can segment them properly. In either case, I would still follow scope with the rest of my network since it is good practice.
ASKER
I just pulled this from the newest SAQ.
Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other system within the merchant environment;
Merchant store is not connected to other store locations, and any LAN is for a single store only;
Merchant does not store cardholder data in electronic format;
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Merchant’s payment application software vendor uses secure techniques to provide remote support to merchant’s payment application system
This makes it sound like we must meet these requirements in order to qualify to fill out SAQ C.
Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other system within the merchant environment;
Merchant store is not connected to other store locations, and any LAN is for a single store only;
Merchant does not store cardholder data in electronic format;
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Merchant’s payment application software vendor uses secure techniques to provide remote support to merchant’s payment application system
This makes it sound like we must meet these requirements in order to qualify to fill out SAQ C.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue with this is that my acquiring bank won't have a clue as to what SAQ I need to fill out. They couldn't even answer the simple questions I sent them before. I'll send them the same question I posted above anyways and see what they have to say.
Justin
Justin
ASKER
Just to show you what kind of responses I am getting from my acquirer.
"They don’t have to fill out either (C or D). Since these are the ones that need to be done online the Trustwave system will figure it out for them."
Apparently we don't need to fill out either now. I don't believe this so I am asking them to elaborate.
"They don’t have to fill out either (C or D). Since these are the ones that need to be done online the Trustwave system will figure it out for them."
Apparently we don't need to fill out either now. I don't believe this so I am asking them to elaborate.
That's fine and I recommend you get that in writing from them. However, only your acquirer can tell which one it should be, or if, indeed, any is necessary. The acquirer bears the risks related to your business and of your compliance, if they don't require you to do anything, no one else will either. That decision in writing is nice to have if/when they change their mind.
ASKER
I assumed my acquirer is my bank? When I ask my bank questions, they forward the e-mail to their payment processor.
Which is my acquirer?
Which is my acquirer?
Your acquirer is the acquiring bank or credit card company that you have a contract with: http://en.wikipedia.org/wiki/Acquiring_bank
ASKER
Apparently TrustWave will be contacting me sometime early next year on behalf of my bank/payment processor. Not sure how this will work beings that I already have my own ASV.
Thanks for the comments.
Justin
Thanks for the comments.
Justin
You can (and should!) segement any systems away from the ones processing, storing or transmitting cardholder data, but obviously some systems will need to be connected to them. Those systems also fall under the PCI scope, and must adhere to all of the same requirements as the actual cardholder data handling systems.