Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PCI DSS SAQ C requirements

Posted on 2010-11-23
12
Medium Priority
?
1,537 Views
Last Modified: 2012-06-27
I am overlooking the new PCI SAQ C that just came out. Looking at the document that is titled " Which SAQ Best Applies to My Environment?" I noticed that for SAQ C, these two requirements are listed.

Payment aplication ssytem/internet device not connected to any other systems
Single store location

The single store location requirement is new to this SAQ C. Can anybody provide me with specific answers to these two requirements?

I have five store locations, does this mean I have to fill out SAQ D now?

My POS systems are on the same LAN as the rest of my internet connected computers. Does this mean I have to segment them somehow? If I do, how do I do that while still enabling remote management such as group pollicy and anti virus?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34203028
Those criteria for the correct SAQ form are just for general guidance, your acquirer will decide which form you need to fill out in the end. I would contact them directly and ask them to specify.

You can (and should!) segement any systems away from the ones processing, storing or transmitting cardholder data, but obviously some systems will need to be connected to them. Those systems also fall under the PCI scope, and must adhere to all of the same requirements as the actual cardholder data handling systems.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 34204495
In addition, PCI 2.0 will not become law until Jan-1st 2012.
-rich
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34204544
Well, to nitpick a bit, PCI 2.0 will never become law, hopefully. :)

The transition period when merchants and service providers are able to use either v1.2 or v2.0 starts 1.1.2011, and starting from 1.1.2012 all new audits must use v2.0.

The actual differences between 1.2(.1) and 2.0 are minuscule, at least if you ask the Council. Out of the 130 or so changes in the new version only 2 are marked are "evolving requirement", the rest are either "clarifications" or "additional guidance". The major impact for most clients coming from this new version is the possible new interpretations of the requirements, not changes in their intention. This also means it really makes little difference whether you use v1.2 or v2, since almost all of the requirements are essentially exactly the same.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:JustinGSEIWI
ID: 34205700
The funny thing is, my acquiring bank contact seems to know little about PCI. She must contact someone else to get answers that they still don't seem sure of.

For example, I know I am supposed to submit everything to my acquirer, they told me that I only need to submit if they request it. My bank contact contacted the payment processor they use and they said they need nothing from us as well.

They basically dodge the questions and point me somewhere else.

All that aside, I know I don't store credit card data electronically after processing of the card. We use Microsoft RMS and I know it is PCI compliant.

I just want to confirm that I am only supposed to fill out SAQ C. That single store guideline through me through a loop as to whether I qualify for SAQ C or not. Add that to segmenting the network and I was sure I had to fill out D. The way they word them is confusing as to weather or not those guide lines are optional.

Can you elaborate on the single store guide line?

Thanks for your comments.

Justin

I can segment two location with VLANs but the other three don't have managed switches so I am not sure if I can segment them properly. In either case, I would still follow scope with the rest of my network since it is good practice.
0
 

Author Comment

by:JustinGSEIWI
ID: 34206521
I just pulled this from the newest SAQ.

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other system within the merchant environment;
Merchant store is not connected to other store locations, and any LAN is for a single store only;
Merchant does not store cardholder data in electronic format;
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Merchant’s payment application software vendor uses secure techniques to provide remote support to merchant’s payment application system

This makes it sound like we must meet these requirements in order to qualify to fill out SAQ C.
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 34206758
What your acquirer says is the only thing that counts. The card brands (Visa Mastercard, Amex &co) mandate PCI compliance from their acquiring banks, which in turn are responsible for any merchants they have contracts with. If your acquirer says you don't need to do anything, that is the final word, until they change their mind of course. :) The acquirers are responsible for transferring the PCI compliance requirements to you, they decide what merchant level you are and what annual validation requirements pertain to you, since they are ultimately responsible for all of that. Do whatever your acquirer says you have to.
0
 

Author Comment

by:JustinGSEIWI
ID: 34230840
The issue with this is that my acquiring bank won't have a clue as to what SAQ I need to fill out. They couldn't even answer the simple questions I sent them before. I'll send them the same question I posted above anyways and see what they have to say.

Justin
0
 

Author Comment

by:JustinGSEIWI
ID: 34231753
Just to show you what kind of responses I am getting from my acquirer.

"They don’t have to fill out either (C or D). Since these are the ones that need to be done online the Trustwave system will figure it out for them."

Apparently we don't need to fill out either now. I don't believe this so I am asking them to elaborate.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34231807
That's fine and I recommend you get that in writing from them. However, only your acquirer can tell which one it should be, or if, indeed, any is necessary. The acquirer bears the risks related to your business and of your compliance, if they don't require you to do anything, no one else will either. That decision in writing is nice to have if/when they change their mind.
0
 

Author Comment

by:JustinGSEIWI
ID: 34231869
I assumed my acquirer is my bank? When I ask my bank questions, they forward the e-mail to their payment processor.

Which is my acquirer?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34231961
Your acquirer is the acquiring bank or credit card company that you have a contract with: http://en.wikipedia.org/wiki/Acquiring_bank
0
 

Author Comment

by:JustinGSEIWI
ID: 34233201
Apparently TrustWave will be contacting me sometime early next year on behalf of my bank/payment processor. Not sure how this will work beings that I already have my own ASV.

Thanks for the comments.

Justin
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question