Solved

PCI DSS SAQ C requirements

Posted on 2010-11-23
12
1,525 Views
Last Modified: 2012-06-27
I am overlooking the new PCI SAQ C that just came out. Looking at the document that is titled " Which SAQ Best Applies to My Environment?" I noticed that for SAQ C, these two requirements are listed.

Payment aplication ssytem/internet device not connected to any other systems
Single store location

The single store location requirement is new to this SAQ C. Can anybody provide me with specific answers to these two requirements?

I have five store locations, does this mean I have to fill out SAQ D now?

My POS systems are on the same LAN as the rest of my internet connected computers. Does this mean I have to segment them somehow? If I do, how do I do that while still enabling remote management such as group pollicy and anti virus?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
  • 6
  • 5
12 Comments
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34203028
Those criteria for the correct SAQ form are just for general guidance, your acquirer will decide which form you need to fill out in the end. I would contact them directly and ask them to specify.

You can (and should!) segement any systems away from the ones processing, storing or transmitting cardholder data, but obviously some systems will need to be connected to them. Those systems also fall under the PCI scope, and must adhere to all of the same requirements as the actual cardholder data handling systems.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 34204495
In addition, PCI 2.0 will not become law until Jan-1st 2012.
-rich
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34204544
Well, to nitpick a bit, PCI 2.0 will never become law, hopefully. :)

The transition period when merchants and service providers are able to use either v1.2 or v2.0 starts 1.1.2011, and starting from 1.1.2012 all new audits must use v2.0.

The actual differences between 1.2(.1) and 2.0 are minuscule, at least if you ask the Council. Out of the 130 or so changes in the new version only 2 are marked are "evolving requirement", the rest are either "clarifications" or "additional guidance". The major impact for most clients coming from this new version is the possible new interpretations of the requirements, not changes in their intention. This also means it really makes little difference whether you use v1.2 or v2, since almost all of the requirements are essentially exactly the same.
0
 

Author Comment

by:JustinGSEIWI
ID: 34205700
The funny thing is, my acquiring bank contact seems to know little about PCI. She must contact someone else to get answers that they still don't seem sure of.

For example, I know I am supposed to submit everything to my acquirer, they told me that I only need to submit if they request it. My bank contact contacted the payment processor they use and they said they need nothing from us as well.

They basically dodge the questions and point me somewhere else.

All that aside, I know I don't store credit card data electronically after processing of the card. We use Microsoft RMS and I know it is PCI compliant.

I just want to confirm that I am only supposed to fill out SAQ C. That single store guideline through me through a loop as to whether I qualify for SAQ C or not. Add that to segmenting the network and I was sure I had to fill out D. The way they word them is confusing as to weather or not those guide lines are optional.

Can you elaborate on the single store guide line?

Thanks for your comments.

Justin

I can segment two location with VLANs but the other three don't have managed switches so I am not sure if I can segment them properly. In either case, I would still follow scope with the rest of my network since it is good practice.
0
 

Author Comment

by:JustinGSEIWI
ID: 34206521
I just pulled this from the newest SAQ.

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN);
The payment application system/Internet device is not connected to any other system within the merchant environment;
Merchant store is not connected to other store locations, and any LAN is for a single store only;
Merchant does not store cardholder data in electronic format;
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and
Merchant’s payment application software vendor uses secure techniques to provide remote support to merchant’s payment application system

This makes it sound like we must meet these requirements in order to qualify to fill out SAQ C.
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 34206758
What your acquirer says is the only thing that counts. The card brands (Visa Mastercard, Amex &co) mandate PCI compliance from their acquiring banks, which in turn are responsible for any merchants they have contracts with. If your acquirer says you don't need to do anything, that is the final word, until they change their mind of course. :) The acquirers are responsible for transferring the PCI compliance requirements to you, they decide what merchant level you are and what annual validation requirements pertain to you, since they are ultimately responsible for all of that. Do whatever your acquirer says you have to.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:JustinGSEIWI
ID: 34230840
The issue with this is that my acquiring bank won't have a clue as to what SAQ I need to fill out. They couldn't even answer the simple questions I sent them before. I'll send them the same question I posted above anyways and see what they have to say.

Justin
0
 

Author Comment

by:JustinGSEIWI
ID: 34231753
Just to show you what kind of responses I am getting from my acquirer.

"They don’t have to fill out either (C or D). Since these are the ones that need to be done online the Trustwave system will figure it out for them."

Apparently we don't need to fill out either now. I don't believe this so I am asking them to elaborate.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34231807
That's fine and I recommend you get that in writing from them. However, only your acquirer can tell which one it should be, or if, indeed, any is necessary. The acquirer bears the risks related to your business and of your compliance, if they don't require you to do anything, no one else will either. That decision in writing is nice to have if/when they change their mind.
0
 

Author Comment

by:JustinGSEIWI
ID: 34231869
I assumed my acquirer is my bank? When I ask my bank questions, they forward the e-mail to their payment processor.

Which is my acquirer?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 34231961
Your acquirer is the acquiring bank or credit card company that you have a contract with: http://en.wikipedia.org/wiki/Acquiring_bank
0
 

Author Comment

by:JustinGSEIWI
ID: 34233201
Apparently TrustWave will be contacting me sometime early next year on behalf of my bank/payment processor. Not sure how this will work beings that I already have my own ASV.

Thanks for the comments.

Justin
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now