PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)

From the PCI Security Standards website:

The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005. The new SAQ is expected to be released in early '08.

The questionnaire is divided into six sections with a total of 12 requirements (sub-sections) all containing yes/no questions. Each section focuses on a specific area of security based on the requirements included in the PCI Data Security Standard. If a merchant can answer "Yes" or "N/A" to all questions in each section they are considered compliant with the self-assessment portion of the PCI Data Security Standard. If any questions that are answered as "No", merchants will need to address these vulnerabilities. There are a number of Approved Scanning Vendors (ASV's) that help merchants fill out the SAQ and provide the required quarterly network security and vulnerability scan. (Read more on Approved Scanning Vendors and security and vulnerability scans)

Here are six sections and 12 requirements:

Section 1: Build and Maintain a Secure Network.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Section 2: Protect Cardholder Data.
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Section 3: Maintain a Vulnerability Management Program.
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Section 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Section 5: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Section 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Other related posts:
PCI DSS Compliance
basics for credit card security
PCI DSS Compliance and the cost of a credit card breach
Braintree solutions: The Smart Approach to PCI DSS Compliance

Braintree We enable beautiful commerce experiences so that people and ideas can flourish. More posts by this author

You Might Also Like