Blog | Aeris Securehttps://aerissecure.com/blog/2012-03-13T17:53:10+00:00The Aeris Secure blog provides insight on current topics in cyber security, risk management and compliance.Self-Assessment Questionnaire C-VT Explained2012-03-13T17:53:10+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/SAQ-CVT-Explained/b'With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet to process credit card data, they do it in such a way that most of the responsibility of security is off-loaded to a third party. In order to qualify for SAQ C-VT, merchants must use a third party virtual terminal to process all credit card transactions.
A virtual terminal is just like it sounds, a terminal for processing credit card transactions without the use of a physical device. The virtual terminal would be a secure website provided by either your gateway or merchant account provider. To use the virtual terminal you would login using a username and password and then manually type in the customer card data for processing. The most common virtual terminals I can think of are the Authorize.net terminal and the First Data terminal.
###Who it applies to:
Just about every merchant has access to a virtual terminal these days. Whether you use it exclusively or not will determine your eligibility for completing SAQ C-VT. Being able to complete SAQ C-VT really reduces the amount of work a merchant has to do to become PCI compliant. Because a merchant uses the Internet to access the virtual terminal, if they don't qualify completely for SAQ C-VT, they would have to complete SAQ C, which involves many more PCI DSS requirements.
The first qualifier for SAQ C-VT is that all credit card transactions must be processed through a virtual terminal. You can not do half with a IP terminal and the other half through the virtual terminal. In addition to only using the virtual terminal, the provider of the virtual terminal must also be PCI compliant.
Once you have established that you only process through a PCI compliant virtual terminal, you must then look at your computer setup you use to access the terminal. First, the computer you use to access the virtual terminal must be a stand alone system. It can't be connected to any other computers through a network. The only connection it can have is to the Internet. Second, that computer must not have any software installed that will store card data. Third, the computer must not have any hardware attached that can read credit cards.
On top of the computer requirements a merchant must also meet the following policy and procedure requirements to be eligible for SAQ C-VT:
- Merchant doesn't receive or send card data electronically other than through the virtual terminal (for example, through email, instant messaging, digital fax)
- Only paper reports and receipts are kept
- No cardholder data is ever stored electronically by the merchant
Given the nature of SAQ C-VT, merchants can either be a brick and mortar store, or a mail/phone operation. However, SAQ C-VT will never apply to a e-
commerce merchants.
###How to become Compliant:
With SAQ C-VT the steps to PCI compliance are much the same as the previous SAQ forms - conduct an anual audit, then fill out the SAQ C-VT form. Because all digital transactions go through a PCI compliant virtual terminal, no vulnerability scanning is needed for SAQ C-VT. However, because you do have an Internet connection there are extra requirements to ensure access controls to the virtual terminal are maintained.
SAQ C-VT contains requirements from 9 of the 12 PCI DSS sections. Those that apply specifically to the virtual terminal deal with restricting access to the virtual terminal and also maintaining the computer you use in a secure manner. Access to the virtual terminal and computer need to be restricted to those that have the need. The software on the computer needs to be kept updated and also protect the system with an anti-virus application.
<p>Being able to complete SAQ C-VT can be a big time-saver for merchants. If you can adjust your method of processing to only utilize a virtual terminal, you will greatly reduce your requirements for PCI compliance. The smaller your security exposure is, the less time you need to dedicate to compliance, and can focus that much more on your core business functions.</p>'Self-Assessment Questionnaire B Explained2012-02-09T17:49:22+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/SAQ-B-Explained/b'Self-Assessment Questionnaire B is probably the most popular of all the SAQ types provided by the PCI SSC. SAQ B applies to the majority of small business retail stores. SAQ B applies to the most basic and traditional methods of processing credit card payments. It basically addresses the simplest processing methods, from old style card imprint machines to the basic telephone dial-up card terminals. With only a few more requirements over what is needed for SAQ A, SAQ B is a simple and straight forward questionnaire for reporting your PCI compliance.
###Who it applies to:
The first rule for SAQ B qualification is that you must not digitally store any credit card data. Just for reference, this rule applies to all SAQ forms except SAQ D. If you store any card data, you automatically fill out SAQ D, which is the entire PCI DSS.
For SAQ B there are 2 groups that merchants will fall into. First are the merchants that use the credit card imprint machines. This style of credit card processing is old, but there are still merchants out there who use the knuckle-buster devices. For merchants using the imprint machines, special care will be needed to protect the physical access to the receipts. Because the these receipts contain the entire card number along with the expiration date for the card, this information is very sensitive. You will need to restrict access to only those employees who have a need for it. These receipts are your biggest security risk.
The second group that qualify for SAQ B are those merchants who use the simple dial-up card terminals. These terminals must be the standalone, dial-out type which connect directly to the phone line. Each time you process a card the terminal makes a call to your processor and transmits the information. There isn't a constant connection with these types of terminals. The easiest way to tell if you use a dial-up POS is to check if it plugs into the phone line, instead of a computer network cable.
Because of the qualifications for SAQ B, it usually applies to merchants with a physical store front and processes all transactions in person. These store owners are usually smaller merchants, due to the slower processing times for the dial-up terminals. Many of these shops will also only have one or two registers as well.
Even though the majority of SAQ B merchants are brick and mortar establishments, SAQ B can also apply to mail/telephone order operations. For mail/telephone order businesses the requirements for processing technology are the same as outlined above. The only thing to keep in mind for mail/telephone orders is that the card information can not be received electronically. For phone orders this isn't a problem. But for mail, the information must actually come in paper form, through the mail. It can't be emailed or digital fax, as that would violate the requirement of not receiving any card data electronically. As long as credit card numbers never touch a computer and you use the POS devices explained above, you are good to use SAQ B for PCI compliance reporting.
####In summary, here are the bullet points to using SAQ B:
- Only us imprint machines and/or standalone, dial-out terminals with phone line connection to processor
- Dial-out terminals are not connected to any other computer, network, or the Internet
- N- o card data is ever stored or transmitted in electronic format (no email, digital fax, instant messaging, etc). Only paper copies or receipts
- You don't store any cardholder data in electronic format
###How to become Compliant:
Becoming PCI compliant for SAQ B merchants is much the same as that for SAQ A. Because you don't store any electronic credit card data, and your card processing systems aren't connected to the Internet, you don't have to conduct any vulnerability scans. The real task is in complying with the requirements listed in SAQ B.
SAQ B covers 5 of the 12 PCI DSS sections. Only a portion of each section applies so the total number of requirements is small. The main requirement for SAQ B ensure that the card data is protected and also that policies are in place to prohibit the insecure transmitting of card data through services like instant messaging. SAQ B merchants must also develop policy and procedures for controlling access to physical copies of card data that might exist. Only employees that need to, should have access to the data.
Because of the limited exposure SAQ B merchants have to potential threats, their PCI requirements are small. With a little effort most of the requirements could be put into place in a very short time. With training and education, employees can be taught what they need to know and do in order to keep you secure and compliant with the PCI security standards.
As with all SAQ types, reporting compliance for SAQ B needs to be done each year. Before your compliance deadline each year review the SAQ B and audit your implementation for each DSS point. The current SAQ for can be found [here](https://www.pcisecuritystandards.org/security_standards/documents.php).
As the SAQ form moves from the most basic processing methods to the more complex the security requires become more in-depth and require frequent attention.'Self-Assessment Questionnaire A Explained2012-01-26T17:38:01+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/SAQ-A-Explained/b'Self-Assessment Questionnaire A is the most basic of all the PCI validation types. It was developed to address the needs of merchants who don't personally process any card data electronically. The requirements that apply to SAQ A merchants are very few. There are only two sections from the full PCI DSS that merchants must complete, for a total of 13 questions.
SAQ A only requires merchants to provide physical access security to cardholder data and also maintain policies that address information security for personnel. Even though there are only 2 sections presented in SAQ A, all merchants are required to comply with the PCI DSS in its entirety. If you have properly identified yourself as an SAQ A, then all other points not listed on the form won't apply to your specific situation.
### Who it applies to:
Self-Assessment Questionnaire A focuses on merchants who don't have any face-to-face transactions (100% card-not-present) and also don't digitally store, process, or transmit any cardholder data. These types of merchants deal only in e-commerce and mail/phone orders. For payment processing SAQ A merchants rely solely on outsourced third party payment processors like PayPal or Google Checkout. This means that no card data ever touches your systems.
To clarify a little bit, if you are using PayPal, as an SAQ A merchant, you need to be using the setup where customers are physically directed away from your site to PayPal's before any card data is entered. The applicable PayPal implementations would be "Website Payments Standard" or "Express Checkout". If you use PayPal "Website Payments Pro" then an SAQ A is not the right form for you.
One more thing to note about the third party payment provider, in order for you to be eligible to use SAQ A they must be PCI compliant. You need to be able to confirm that they have gone through a PCI assessment and passed. Usually you can find this type of information on the service providers website, or by asking a sales agent. The company will need to produce a signed certificate of compliance.
The last point to determine eligibility for SAQ A has to do with storing card data. If you choose to store any data that your processor or customer might provide you, then it can only be received and stored in paper form. You can't have any data in an electronic format. For example if you do mail orders you can't have a customer email you his card information. Or if you get reports from your processor that have card data it can't be emailed to you.
#### In summary, here are the bullet points to qualifying for SAQ
- Only card-not-present transactions (e-commerce, mail/telephone orders)
- Rely entirely on PCI compliant third party providers to process payments
- Only receive and store card data in paper form (no electronic card data)
### How to become compliant:
Because of the way SAQ A merchants process data, their PCI requirements for reporting are very simple. Since they don't actually process, transmit or store card data, they don't need to scan any computer systems, review system configuration, or audit coding practices. The only real requirement is to make sure they meet all the requirement listed in SAQ A, then fill it out and submitted to their acquiring bank.
Merchants need to report their PCI compliance status every year. Each year before your compliance deadline you should review the current SAQ A form, which can be found [here](https://www.pcisecuritystandards.org/security_standards/documents.php) and conduct an audit of your policies and procedures. Check to make sure that everything is current and in line with what is required by the PCI SSC. By conducting an annual assessment of PCI requirements you can be sure you are maintaining a solid baseline of security to protect against potential threats.'PCI Self-Assessment Questionnaire Explained2012-01-19T17:29:31+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/pci-saq-forms-explained/b'For the majority of merchants (levels 2 - 4) PCI compliance can be reported through the PCI SSC Self-Assessment Questionnaires (SAQ). Essentially the SAQ is a paired down list of requirements from the full PCI Data Security Standard (DSS). One key thing to remember however, is that just because the requirement doesn't show up on the SAQ questions, doesn't mean you don't have to follow it. With that said, the way the PCI SSC has configured the SAQ forms you probably don't have to worry about it too much. As long as you are using the correct form for the way you run your business you are good to go.
There are currently 5 different SAQ types, A, B, C-VT, C, and D. Each one focuses on a different type of merchant and how they process credit card data. For instance, SAQ B is for merchants that only have face-to-face customers and use dial-up card terminals, where as SAQ D addresses merchants that have Internet type terminals and store card data.
The key to selecting the right SAQ is being familiar with your payment process and your computer network. When it comes to credit card payments there are in-person and card-not-present payments. In-person would be those where the person can physically hand you the credit card to swipe, while card-not-present is your typical online transaction. Knowing which types of payments you have in your business will help in selecting the right SAQ.
There are also 3 basic types of payment terminals to be aware of. The first is the old imprint type, where you make a carbon copy of the card. Not many businesses use these any more. Then there is the dial-up terminal. These types plug into a phone line (not the Internet) and must dial out every time a credit card is processed. These types of terminals are still widely used in many businesses. The last type are IP terminals, or ones with a connection to the Internet. These devices are very convenient because they are always connected to your processor and can conduct transactions very quickly. Most of the newest terminals are IP based.
The last area to cover, in determining your SAQ type, is your computer network configuration. This can get complicated quickly, but for SAQ purposes there is really only one thing you need to know: Does your business have multiple computers connected together or just a lone system. A few telling signs that you are running a network are the existence of things like an Internet router/modem, network switches/hubs, numerous computer systems, and shared printers and other devices. Also the question of which type of network you have only comes into play when you use the IP terminals. Dial-up terminals by nature are not part of a computer network and simplifies your PCI requirements.
There are many SAQ Selector Tools out there that will guide you through the process of determining your SAQ validation type. These tools ask you simple questions about how you process card data and network configuration. With the basic knowledge outlined above you will be able to adequately answer the questions asked by such tools. The [Aeris Compliance Engine](services/merchant-portfolio-mgmt) (ACE) provides one to all merchants with an account. Once you know your SAQ type the next step is to report your compliance.
Now that we have a little bit more of a foundation to what a SAQ is, the next several posts will highlight each of the five SAQ forms and detail the types of merchants that should use them.'