PCI DSS – Preparing For Change – Part 2
In his previous blog, Phil Brining explained what the PCI DSS is, how it came about and how to find out if you are compliant. In this blog, Phil reviews why there are different SAQs (Self-Assessment Questionnaire) and how they are different.
For a moment let us consider the various channels through which retailers accept card payments. They may have shops, a telephone order contact centre, a mail order operation as well as e-commerce websites and other devices such as vending machines, parking meters etc. etc.
When I first started working with the PCI DSS back in 2008, I was working for a leading Premier League football club. We took card payments at the stadium ticket office windows, via the club’s ticketing website, and our retail website, as well as on concourse bars and in corporate hospitality suites. We took payments by phone in several departments and via mail order. People would even email us their credit card information to buy tickets for games! I consider myself to be incredibly lucky indeed to have been involved in such a complex environment which I first started working with the PCI DSS because it helped me to understand all about it.
If you think about it, each of those different payment channels has a different risk profile. Taking card payments in a face-to-face environment is completely different from taking card payments over the phone. And they are different again from taking card payments via an e-commerce website. What this means is that you would expect to see different controls in place for each of those channels. For example, the risks of card skimming may be greater for payments made using chip and pin devices than it is for payments made via an e-commerce website. The risks associated with telephone payments keyed into a chip and pin device by a contact centre operative are likely to be different from those where the buyer keys their card digits directly into their telephone handset which is connected to a payment gateway.
The PCI DSS recognises this and has determined which of its 250+ requirements apply to each payment channel used. This results in a set of nine SAQs (Self-Assessment Questionnaire). Each SAQ has a sub-set of the 250+ requirements. Both a merchant self-assessing and a QSA conducting an external assessment will be required to assess compliance against the set of requirements applicable to the payment channel via an SAQ.
For example, a merchant may have to assess its mail order/telephone order operation using SAQ-C which contains 124 requirements whereas it may be required to assess its physical retail outlet using SAQ-B which contains a mere 28 requirements. How so you may ask.
Well, in simple terms, a bricks and mortar retail outlet may take payments via stand-alone chip and pin devices connected directly to the public telephone network. Such devices are configured to encrypt the cardholder data that is input to them and transmit it directly to a known payment gateway. By contrast, a mail order/telephone order (MOTO) set up may utilise a payment system which requires buyers to physically send slips of paper through the post containing their card data or callers to verbally relay their card data to a call centre operative. In both cases, the recipient may need to key the cardholder data into an application running on a computer that sits on a computer network. It may even be the case that the calls are recorded, or the slips of paper are retained meaning that the cardholder data is being stored in a plain text or audio format for a period of time.
The bricks and mortar set-up described above has what is known as a smaller attack surface (i.e., fewer points of attack) compared to the MOTO set up. Therefore, the PCI DSS has a greater number of requirements applicable to the MOTO set up than the bricks and mortar set up. SAQ-C (MOTO) has 124 controls whereas SAQ-B has 28.
So, what kinds of things are in SAQ-C that are not in SAQ-B? Well, for starters, in PCI DSS v4.0 requirement 1.3.1 is that inbound traffic to the CDE (cardholder data environment) is restricted to only traffic that is necessary and all other traffic is specifically denied. As the MOTO set up described above runs over a network, requirement 1.3.1 is applicable; but as the bricks and mortar set up does not utilize a network, requirement 1.3.1 is not applicable. So, 1.3.1 is a requirement of SAQ-C but not SAQ-B.
The important thing here is to realise that not all the changes brought about by PCI DSS v4.0 might be applicable to you and your set up so please ensure that you check to see how you might be affected.
Key changes in PCI DSS v4.0
The PCI DSS v4.0 has quite a lot of changes. There are some subtle changes to requirements we are already used to in v3.2.1 and there are 58 new requirements. Some requirements have been moved to a different section. It is vitally important that merchants understand which requirements apply to them and what they will have to do to be able to demonstrate that they meet them. One thing is absolutely certain. The changes are going to require changes: changes to IT systems, changes to processes and changes to work practices.
If you would like to take a look back at part one of this blog, follow this link.
If you would like support with any area of the PCI DSS, please visit our service page and check out how we could help you. Data Protection People are a registered QSA making us one of less than 50 organisations in the UK that are able to consult on PCI DSS.