How to Do a PCI Self Assessment

PCI Self Assessment

Don’t risk thousands of dollars in fines by failing to complete your PCI DSS annual validation correctly. We’ll show you how to determine if you need to conduct a PCI DSS self-assessment, how to conduct one, and the self-assessment questionnaire is right for you in this article…

Any entrepreneur knows that the benefits of running a company aren’t without their drawbacks. Managing taxes, staff, overhead, and other aspects of your business can quickly become overwhelming, leaving you feeling as though you have no idea what you’re doing. Another challenge many companies face is figuring out PCI DSS and ensuring compliance. According to Verizon’s 2020 Payment Security Study, only 27.9% of companies were fully compliant in 2019. That’s a big drop from the 55.4 percent who said they were fully compliant in 2016!

During your annual validation, you’ll be asked to complete a PCI self-assessment questionnaire as part of the PCI method. There are different questionnaires for different situations, and it isn’t always mandatory to do a self-assessment.

We’ll look at PCI DSS and walk you through the PCI self-assessment questionnaire phase in this article to make sure you’re checking the right boxes.

What is PCI DSS?

Payment Card Industry Data Security Standards (PCI DSS) is an acronym for Payment Card Industry Data Security Standards. In simple terms, PCI DSS is a set of security standards designed to ensure that all organisations and companies that handle credit card cardholder data safely do so. This encompasses data collection, storage, and transmission.

The PCI Security Standards Council, which is made up of the five main credit card firms, backs these standards:

  • Visa
  • JCB
  • American Express
  • Discover
  • Mastercard

You will face the wrath of this Marvel-like squad of mega credit card companies if you do not meet these expectations. Yes, you will be brought to justice, but instead of Thor’s hammer, you will be slapped with hefty penalties. Depending on the circumstances, fines will range from $5,000 to $100,000 a month.

These protection specifications are based on the 12 PCI DSS requirements. The specifications reflect the PCI Security Standards Council’s goals. They are as follows:

Requirement 1- Set up a firewall to block malicious requests and protect cardholder data from unauthorised users.

Requirement 2 – When you obtain your payment card infrastructure from your provider, change the default settings (including default passwords).

Requirement 3 – Encrypt and hash stored cardholder data to render it unreadable.

Requirement 4 –Using a TLS/SSL certificate, ensure that cardholder data is encrypted when in transit.

Requirement 5 – Use anti-malware/antivirus software to protect against malware and keep it up to date.

Requirement 6 – Maintain a mechanism for maintaining software updates to fix vulnerabilities when they occur to ensure that all systems and applications are secure.

Requirement 7 – Use access controls to limit access to cardholder data to only those who need to know.

Requirement 8 –Assign unique IDs to all personnel with access to cardholder data to establish authorization levels and hold personnel responsible for their roles.

Requirement 9 – Protect cardholder data by limiting access to the physical systems that contain said data.

Requirement 10 – Establish a system for tracking and monitoring all activities involving cardholder data and interconnected networks.

Requirement 11 – Create and maintain a process to consistently test all security systems.

Requirement 12 – Establish and maintain an information security policy that extends to all employees of your company.

How to Maintain PCI Compliance

You’ll be expected to maintain PCI compliance until you’ve met the necessary number of security requirements. The number of security criteria you must meet depends on the degree of involvement in managing cardholder data — for example, if you use a third-party security solution, you might not be required to meet all of them. PCI compliance is maintained by several organisations through an annual validation process.

And I’m sure you don’t want to mess up your yearly validation after reading “$5,000 to $100,000 a month” in fines. We also understand that you’ve come to learn “how to do a PCI self-assessment,” but it’s critical that you complete these first few steps before moving on to the self-assessment section.

The first step in nailing your annual validation is to figure out what PCI standard you’re at. It’s important to understand your PCI level because you’ll need a different self-assessment questionnaire depending on your level and how you accept credit cards. The stages of PCI are as follows:

Level 1 Merchant Any merchant that processes more than 6 million Visa or Mastercard transactions per year, processes over 2.5 million American Express transactions per year or have suffered a data breach. The 5 major credit card companies also reserve the right to label you a Level 1 Merchant at their discretion.
Level 2 Merchant Any merchant that processes 1-6 million transactions per year.
Level 3 Merchant Any merchant that processes between 20,000 and 1 million ecommerce transactions or that processes below 1 million total transactions per year.
Level 4 Merchant Any merchant processing up to 1 million total transactions or fewer than 20,000 ecommerce transactions per year.

Which PCI Self-Assessment Questionnaire Should You Choose?

You may determine the PCI self-assessment questionnaire (SAQ) to use once you know your level. You won’t need a PCI self-assessment questionnaire if you’re a PCI Level 1 Merchant. Your path is a little more complicated. A Qualified Security Assessor will perform your annual validation in person. Keep reading if you’re a Level 2-4 merchant because the majority of this applies to you.

How to Do a PCI Self Assessment

We’ve made it! Now for the fun part: how to do a PCI self-assessment. For merchants in levels 2-4, this is a critical phase in the annual validation process. Everything you have to do now is:

  • Download the appropriate PCI self-assessment questionnaire and respond to the prompts.
  • Fill out an Attestation of Compliance form (more on that momentarily).

It’s important that you answer the SAQ questions as truthfully as possible. Submitting an incorrect self-evaluation will result in… you guessed it… more fines! It’s fine if you answer no on the questionnaire; however, you will be contacted to take the necessary steps to turn that no into a yes.

You’ll need to complete an Attestation of Compliance in addition to the questionnaire, as I stated earlier. This attestation will serve as proof that you finished the self-assessment questionnaire. The correct Attestation of Compliance will be included with the self-assessment questionnaire you download, along with instructions on how to complete it.

Figuring Out Which PCI DSS Self-Assessment Questionnaire to Download

As previously mentioned, there are a variety of PCI DSS self-assessment questionnaires to choose from, and you must know which one to use. These are sorted by “how you accept payment cards” for level 2-4 PCI merchants.

Below are links to the self-assessment questionnaires so you can download the one that is right for your business.

Self-Assessment Questionnaire Description of Appropriate Merchant (Based on How You Accept Payment Cards)
A Merchant does not handle in-person/physical card transactions Merchant uses ecommerce, email, mail or telephone transactions.All cardholder data functions are outsourced to a PCI DSS compliant third-party vendor.Merchant does not possess cardholder data (storage, processes or transmission) on their system or physical locations. Not applicable to face-to-face channels
A-EP Merchant runs their card payments solely through an ecommerce platform.All payment processing is outsourced to third parties who are PCI DSS validated.Merchant uses ecommerce site that does not directly collect cardholder data but does have the ability to affect the security of the payment transaction.Merchant does not possess cardholder data (storage, processes or transmission) on their system or physical locations. Applicable only to ecommerce channels
B Merchant solely utilizes imprint machines or separate dial-out terminals.Both imprint machines and separate dial-out terminals should be holding zero electronic cardholder data storage. Not applicable to ecommerce channels
B-IP Merchant solely utilizes PIN Transaction Security-Approved payment terminals “with an IP connection to the payment processor” (as of the February 2014 update).This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
C-VT Merchant physically enters transactions individually into a digital terminal solution.Terminal solution is supplied and hosted by third-party vendor that is PCI DSS validated.  This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
C Merchant uses an online payment application system. This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
P2PE-HW Merchant who solely utilize “hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution.” This process also involves zero electronic cardholder data storage. Not applicable to ecommerce channels
D (Merchant) A merchant that does not fit in any of the previous groups.
D (Service Provider) A service provider who has been deemed eligible to take a self-assessment questionnaire by one of the credit card companies.

If you still are unsure of what self-assessment questionnaire to go with, the PCI Security Council put together a helpful infographic (shown below) to help you figure it out. If all else fails, the council also recommends contacting your credit card company or acquiring bank for assistance.

Which PCI DSS Self-Assessment Best Applies to Your Situation?

Check the table below to see which PCI DSS SAQs apply to your company:

pci-self-assessment-saq

Using a PCI-Compliance Scanner Tool, make sure you always nail your self-assessment.

Although completing a PCI DSS self-assessment questionnaire can be stressful, there is a way to alleviate the stress. You will do that by ensuring that you are completely PCI compliant prior to your annual validation. I know, I know, there are so many intricate specifics and specifications to note. How can anyone manage to do it?

Fortunately, there are ways to make PCI enforcement easier to achieve and sustain. Consider a programme like HackerGuardian. This is a fully automated PCI enforcement scanner that does almost everything for you. HackerGuardian (HackerGuardian):

  • Scans the entire network for enforcement issues,
  • compiles a report outlining the problems and how to resolve them, and then
  • organises it into a tidy final report that you can send to your acquiring bank.

A tool like HackerGuardian would undoubtedly make the PCI DSS enforcement process much more manageable. It also alleviates any fears you might have about making a mistake and incurring one of those dreaded fines.

How to Do a PCI Self Assessment —Final Word

So, we’ve made it. We went through everything from what the PCI DSS is to how to complete the PCI self-assessment questionnaire. We hope you now understand how to do a PCI self-assessment and can easily complete it.

If you need more reading content, we have another excellent article that delves deeper into the PCI DSS topic. If you need help being PCI DSS compliant and maintaining the compliance, I suggest using the HackerGuardian tool because it will make the process far easier for you. Best wishes!

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.