You gather up all the necessary documentation and sit down to complete the SAQ for your business—only to realize that you can’t answer “yes” to all the questions. Somewhere, something down the line occurred which now makes things complicated.
When confronted with the reality of non-compliance, many merchants or service providers are not completely sure what to do. As uncomfortable as it may appear to be, you’re going to have to have a conversation with your acquiring bank. After all, they are the entity who is going to request the compliant SAQ that you had hoped to produce.
Preparation is Key
The following steps will help you get back on track with PCI and succeed in your communications with your point of contact at the acquiring bank.
- Completely fill out the PCI Prioritized Approach Tool. This tool enables you to implement the PCI DSS using milestones, in phases, based on the level of risk that each requirement poses to the typical organization. The Prioritized Approach Tool is available as a free download at https://www.pcisecuritystandards.org/document_library in the “Supporting Documents” section.
- Ensure that firm dates are established for each non-compliant milestone, along with recommendations and descriptions for each issue. Be prepared to discuss the issues and be able to explain why the time/date was chosen for issue remediation/project completion.
- Let the acquirer know what is going on and how long it will really take to implement something. Honesty here is the best policy. You may not get a second chance to set these expectations. Banks base PCI merchant reporting on risk, so if they are able to properly gauge that risk they will be more likely to work with you or provide recommendations.
- Ask for an extension. The acquirer often will recommend an extension, if the remediation date is within six months of the assessment. In that case you will be permitted to submit your SAQ late, as the acquirer is permitting it. You may not get a second opportunity at an extension, so plan these dates with as much room for error as possible.
- Engage a third party security consulting firm. Security firms, especially those with Qualified Security Assessors (QSAs), can help you navigate these waters. There are many roles that a QSA can perform outside of doing a PCI assessment for you. Advisory, even if only a few hours, can be the difference between success and failure when tackling a project as complex as PCI.
Have additional questions about how to address PCI shortcomings? Subscribe to this blog for additional tips and webinar announcements.