SAQ.  Three letters that can strike fear into the minds of hackers.

Self-Assessment QuestionnaireSAQ.  Provided by our friends at the Payment Card Industry Security Standards Council (SSC).

The PCI Data Security Standards (DSS) were developed to ensure that companies accepting credit cards follow industry best practices when handling sensitive consumer information, including their card numbers.  These are the "BEST PRACTICES" for merchants, and the way they are validates is with very specific questions, as many as ~600, provided by the PCI SSC.

As of 01/31/2017 - yes, years ago - your bank/acquirer was obligated to require a self-audit from YOU.

pci saq required 

Heard nothing from them?  This mandate may not have been enforced by your bank or acquirer, though that does not let you off the hook.

An unknown but certainly large number of merchants accepting credit cards have not submitted the SAQ and accompanying Attestation of Compliance from an executive of your company.  These documents attest to your compliance with the Payment Card Industry Data Security Standards (PCI DSS).

"Merchants are very strongly advised to adhere to these standards to become PCI-compliant to minimize their liability, should their security be breached," said Curbstone Corporation's Operations Manager, Ryan Nichols, PCI QIR.

The PCI standards apply to merchants in different ways depending on their processing methods.  Included in each are Self Assessment Questionnaires containing varying numbers of questions which must be answered during the compliance process.

pci saqs

then select the drop-down for SAQs:

pci saq library 

As merchants work through the questions, the areas in which their operations fall short will be identified, so that these can be remedied in a step-by-step, methodical way.

Curbstone Corporation is the only provider in America of payment card processing which integrates completely with back-end systems running on the IBM i operating system and, according to Mr. Nichols, the company can assist its merchants in two ways on their route to becoming PCI compliant.

The first of these is that use of the Curbstone system reduces the scope of the PCI standards, which apply to any particular business storing, processing or transmitting credit cards. Key to that is the fact that card numbers are no longer stored on the merchant’s system and thus, cannot be exposed during a security breach. This accomplishment also greatly reduces scope due to the fact that everything is connected to the sytem that formerly housed card data; ERP, workstations, additional servers. If the system touches card data, then all other systems connected to it must be audited.

pci saq compare

The second way that Curbstone assists their merchants is that they know card transactions. With over two decades experience, Curbstone's fully qualified transactions can qualify a merchant for the best rates possible.  This saves them money by preventing downgrades and combating chargebacks.  All the while, becoming more secure!

Curbstone cannot make the final determination as to which SAQ applies in any situation – only a PCI certified Qualified Security Assessor (QSA) may do so.  Curbstone’s clients often have the scope of their PCI requirement reduced to a great extent.

The first step in the compliance process is to choose which SAQ fits the merchant’s situation. Next on the list is to fill the questionnaire accurately and make the necessary changes to the business process where it is found to be lacking.

Once compliance is achieved and the SAQ updated, a formal attestation of compliance (AOC) must be completed and filed with the merchant provider and/or bank.

"At Curbstone, we recommend in the strongest possible way that all merchants should become compliant as soon as possible," Mr. Nichols said. "Compliance is mandatory, and the enforcing figures (Acquirers) may not yet be demanding submission.  A breach in security can leave the non-compliant merchant in a far less defensible position than they would have been if they had gone through the process."