A PCI security audit can take weeks – if not months – to complete. Scoping your systems, collecting the evidence, filling out the paperwork, and submitting the documentation is a major undertaking. If you have a large IT department, you may be able to divide and conquer somewhat efficiently, but if you don’t have an experienced team who can give your PCI audit their full attention, the process can be a major burden.
(A quick note: there are two different types of PCI audits: internal and external. External audits, which involve engaging a third-party Qualified Security Assessor, are only required for merchants who process more than 6 million credit or debit card transactions each year. However, any organization that accepts credit card payments – even if they are well below the 6 million transaction threshold – must complete an annual internal audit in the form of a Self-Assessment Questionnaire, or SAQ. For the rest of this article, we will refer to internal PCI security audits.)
Avoiding the PCI SAQ-D
There’s no way for merchants to opt out of an annual PCI Self-Assessment Questionnaire (SAQ). However, merchants can reduce the amount of work that goes into PCI compliance by qualifying for a reduced SAQ.
Here’s how Ryan Nichols, PCI-Certified Qualified Integrator and Reseller (QIR) and Certified Payment Security Practitioner (CSSP) explains it:
“There are 8 different SAQs. Each one applies to a different type of credit card processing environment. The SAQ A, for instance, is for merchants who only process mail orders or phone orders AND use a third-party service provider for the credit card processing function. They do not store, process, or transmit any cardholder data on their own system. The SAQ B, meanwhile, may be an option for merchants who use standalone payment terminals that use an IP connection to the payment processor, but who don’t store any of their own cardholder data electronically.
However, depending on how many different channels merchants accept credit card payments on, they may have to complete several SAQs – one to cover each of the different environments.
If a particular environment doesn’t qualify for one of the reduced SAQs, the merchant will have to default to the SAQ-D. This questionnaire has 329 questions (compared to, for example, 31 for the SAQ A, 74 for the SAQ C-VT, and 82 for the SAQ B-IP.)
The moral of the story? Avoiding the SAQ-D will make your life much easier.”
See how Bartlett Bearing used Curbstone to avoid the PCI SAQ-D.
Who Can Qualify You for a Shorter PCI Security Audit?
A QSA is the only person who can definitely say if you qualify for a reduced-scope SAQ. Your QSA can also help you decipher the requirements of the PCI DSS and recommend ways to optimize your payment processing infrastructure.
The first thing your QSA will typically recommend is for you to identify all the places you initially interact with cardholder data. Do you type it in when you enter a new order in your ERP? Do you use credit card terminals at a physical checkout counter? What about your website?
From there, how does that data flow through your system? What people, processes, and technologies interact with it along the way?
As you work to reduce you scope and qualify for a shorter security audit, your QSA may recommend strategies such as:
- Using P2PE (point-to-point encryption) for all of your payment card and cardholder data
- Using PCI-compliant hardware for accepting credit cards in person
- Using properly configured firewalls to restrict traffic between the cardholder data environment and the rest of your corporate network
- Segmenting out specific parts of your network so only portions of your infrastructure interact with cardholder data
- Outsourcing payment processing activities to a third-party PCI-Validated Level 1 Service Provider
The newest version of the PCI DSS allows merchants more flexibility in how they meet their security obligations. This means that – with the help of the above strategies and a QSA – you may be able to achieve, maintain, and demonstrate PCI compliance more easily than ever before.
Take the First Step Toward Qualifying for a Shorter PCI Security Audit
At Curbstone, we’ve helped hundreds of merchants streamline their security and compliance efforts. Our credit card processing software keeps cardholder data off users’ systems, helping them qualify for shorter internal audits, while also providing a quick, consolidated and integrated payment system.
For a more in-depth look at how our technologies can reduce your PCI scope, download our whitepaper: Save Time, Increase Security, and Reduce Your Payment Processing Fees. Or, tell our team how you’re currently processing payments and we’ll help you find a more secure option that reduces your audit scope.
