Ready Your 3.0 SAQ Game Plan

December 17, 2014 • Published Categories Best Practices Tags , , , , , , , ,

2014 has been a year filled with news about breaches – big breaches – record breaking breaches.

I have spent the majority of the year talking to many people about PCI DSS version 3.0 SAQs.  I have spoken to Merchant Banks, Processors, small businesses, IT managers, QSAs, security professionals, businesses, non-profits, municipalities, micro-businesses, healthcare providers, etc.  I have presented webinars, written articles and blog posts and spoken with members of the PCI Council at their community meeting in Orlando.

There is certainly a lot to learn and a lot to discuss and debate about PCI DSS version 3.0 SAQs.  The one constant in all of these conversations is the date, January 1, 2015.  That is when the new SAQs are required and self-attesting merchants will no longer be able to validate their PCI compliance with the version 2.0 SAQs.

Here are my top 5 takeaways from all the conversations I’ve had:

  1. E-commerce merchants will find it more difficult to both determine which SAQ they qualify for, and to complete their SAQ once they determine which one they qualify for.
  2. Service Providers will come under increasing scrutiny and merchants will need to know more about who their Service Providers are and what services they provide.
  3. More merchants than before must have penetration testing to complete their PCI validation.
  4. Physical security will require more diligent process and controls.  The PCI Council published some great guidance documentation to make this easier.
  5. All merchants need to beef up their security awareness training.  The PCI Council has published great guidance around training as well.

And with that in mind, here are some last-minute tips to prepare your business for v3.0:

  • Merchant Service Providers – If you have not already done so, you should analyze and segment your merchant base by expected impact.  Additionally, since the Council allows you some leeway around exactly which SAQ you route merchants to based on how they process credit cards, make sure you and your merchant support are ready to direct merchants to the right SAQ (see our handy chart).  Lastly, prepare to receive many questions from your merchants.
  • Merchants – If you are planning to validate your PCI Compliance in the final days of 2014, you should get started now and plan to finish before January 1, or you will have to start over using the 3.0 requirements. Regardless, you should begin viewing your security processes according to PCI DSS v3.0. Reach out to your acquiring bank for information about how to make the transition and start reviewing who all of your Service Providers are and ensuring that they are PCI compliant.

Check out our other articles related to PCI DSS 3.0 here. Want to learn more about how the PCI DSS applies to your business or small business data security in general? Click here or give us a call at 1-800-825-3301 x 2. We’d be happy to help.


Leave a Comment