PCI Self-Assessment Questionnaire Guidelines
by Audrey Oh
If you process credit card payments as part of your business, you will need to prove PCI compliance, regardless of the size of your company. The Payment Card Industry Data Standard (PCI DSS) was introduced in December 2004 by the five largest credit card companies. It aims to protect businesses and consumers from costly data breaches and fraud. Consumers have become increasingly concerned about data security after numerous breaches have hit the headlines. Reassuring consumers that you have put systems in place to keep their information safe is crucial for attracting and retaining customers.
What is PCI DSS?
PCI DSS sets the requirements you need to meet for securely accepting, storing, processing and transmitting cardholder data. There are four levels of compliance, depending on the number of transactions you process annually.
You will have to pay to maintain PCI compliance. The fee you pay will depend on the size of your business, your current level of security and the technology you use. Noncompliance could have far greater costs, such as those associated with data breaches, fines and business investigations — not to mention the damage to your company brand.
Understanding PCI compliance can be overwhelming, so we’ve put together a quick guide to the PCI self-assessment questionnaire instructions and guidelines. The self-assessment questionnaire is the first step towards achieving PCI compliance for your business.
Why do I Need to Be PCI Compliant?
Attaining and maintaining PCI compliance may seem like a lot of work, so why should you bother? If you fail to implement effective security measures, your customers and your business will be vulnerable to data breaches and fraud. A breach could result in regulatory notification requirements, lost customers, damage to your brand reputation, financial liabilities and even litigation.
PCI DSS was designed specifically to protect your business from such damaging incidents and to minimise the impact if they do occur.
What Is the Self-Assessment Questionnaire?
The PCI DSS Self-Assessment Questionnaire (SAQ) allows you to evaluate your current level of security for cardholder data. It is intended for small merchants and service providers. The questionnaire consists of a series of yes-or-no questions and can run up to 87 pages. So you’ll need to dedicate a significant block of time to complete it.
How to Select the Correct SAQ for Your Business
There are eight different questionnaires available. You will need to select the one most appropriate for your merchant environment. The PCI Security Standards Council (PCI SSC) provides a useful table in its Self Assessment Questionnaire Instructions and Guidelines, outlining the SAQ types you can choose. Select the SAQ that best fits your merchant environment.
Remember, you must comply with all requirements to be PCI DSS compliant.
If there are PCI DSS requirements applicable to your environment that do not appear in your chosen SAQ, you may have selected the wrong one. The guidelines provide further detail on the above types. You should make careful reference to these when selecting an SAQ to complete.
There is also a helpful flow chart on the last page of the guidelines that will help you to determine the correct SAQ for your business. Follow the path for each channel and remember merchants must meet all eligibility criteria for any applicable SAQ.
Complete an Attestation of Compliance
In addition to the self-assessment questionnaire, you must complete an Attestation of Compliance to certify you are eligible to perform and have performed the appropriate SAQ. You will receive the attestation with your chosen questionnaire.
How to Get Started with Your Questionnaire
To select and access the right SAQ for your business, visit the “Assessing the Security of Your Cardholder Data” page on the PCI Security Standards website. Review the list of questionnaires and click on the letter that corresponds to the most suitable SAQ for your business. This link will take you through to a “document library” containing all the questionnaires (complete with attestation forms). You will also find the further guidelines, tools and support resources you need to complete your questionnaire.
Obtaining PCI DSS is no mean feat. But it will give you and your customers peace of mind. Furthermore, you will significantly reduce the risk of data breaches and fraudulent activity. If a breach happens, the impact is likely to be far less than if you had taken no steps to maintain the security of your business and the data it processes.
Are you looking for a PCI compliant payment platform for your business? Callstream Vault is an award-winning cloud-based PCI Level 1 certified solution for the contact centre environment. Arrange a demo today.