QSA Tip of the Day: FAQ 1331
Today’s QSA tip has the potential to save you a lot of time, effort, and cost associated with getting your organization into compliance with the PCI Data Security Standard (DSS). Triaxiom Security is a PCI QSA certified company who performs audits on a myriad of organizations trying to meet PCI standards. From large organizations who accept credit cards in several different ways, to mom-and-pop shops who only accept card-present transactions, we have seen it. Our main goal when working with an organization is to partner with them to help them achieve compliance as efficiently as possible. In many cases, we utilize a surprisingly little-known FAQ published by the PCI Council that may have a tremendous impact on your ability to meet the requirements.
PCI FAQ 1331 states that “entities with environments that fully meet all the eligibility criteria defined in a particular Self Assessment Questionnaire (SAQ) may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.” This is huge. For example, if you are a retailer who only accepts card payments via point of sale terminals that are connected to phone jacks (SAQ B), you can use SAQ B as a guide to determine which requirements are applicable even if you have to do a full-blown QSA onsite evaluation. This is not immediately evident, as the Report on Compliance (RoC) that a QSA has to fill out has every requirement listed, similar to a SAQ D. In fact, we’ve run into several situations where organizations were audited by other QSAs not familiar with this guidance and, as such, were being forced to meet every requirement.
This FAQ has the potential to make life a lot easier for a lot of organizations. As long as you can meet the requirements for a particular SAQ, you can effectively cut every requirement that is not addressed in that SAQ. Some of these requirements, for example penetration testing in requirement 11.3, have significant costs associated with them. Therefore, if this FAQ is applicable to your organization, it could potentially save you thousands of dollars, not to mention the headache and confusion associated with meeting controls that are not particularly applicable.
This FAQ can also help service providers when filling out their SAQ D – Service Provider. If you are a service provider who meets the requirements of another SAQ (e.g. if you handle billing using phone payments that you type into a virtual terminal, meeting SAQ C-VT) then you can use that to tailor down the requirements in your SAQ D – Service provider.
As always, it is important that you consult with your acquiring bank or the payment brand directly to confirm your approach. They are the ones ultimately accepting the risk and the only ones authorized to approve your approach and any variations made from the published reporting standard. However, if approved, this could make your life significantly easier.