Self-Assessment Questionnaire (SAQ) Guide
V3.0
A / Card-not-present merchants
Merchant website is 100% hosted and managed by a PCI-compliant, 3rdparty payment processor, OR
No elements of the page originate from the merchant website.
No Electronic cardholder data storage / 14 / +1 / No / No
NEW
A-EP / Card-not-present merchants:
Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, 3rd party payment processor, OR
Some elements of the payment page originate from the merchant website
No electronic cardholder data storage / 139 / NEW / Yes / Yes
B / Merchants with only standalone analog dial-out payment terminals:
No e-commerce transactions or electronic cardholder data storage / 41 / +12 / No / No
NEW
B-IP / Merchants with standalone, IP-connected payment terminals
No e-commerce or electronic cardholder data storage / 83 / NEW / Yes / No
C / Merchants with payment application systems connected to the Internet:
No e-commerce transactions or electronic cardholder data storage / 139 / +59 / Yes / Yes
C-VT / Merchants with web-based virtual payment terminals
No e-commerce transactions or electronic cardholder data storage / 73 / +22 / No / Yes
D-MER / E-commerce merchant that cannot meet the criteria for SAQ A or SAQ A-EP, OR
E-commerce merchant that stores credit card data, OR
Payment pages are delivered from the merchant’s website. / 326 / +38 / Yes / Yes
PCI Compliance 3.0
Updates to RequirementsPenetration Testing Required for SAQ A-EP, C, C-VT and D
- Cash Management & HUIT IT Security has negotiated pricing with Trustwave for penetration testing.TECHNICAL UPDATE
- Merchants will be responsible for the cost of penetration testing.
Anti-Virus Requirement Updates – SAQ A-EP, C, C-VT and D – Requirement #5 TECHNICAL UPDATE
- 5.3 New requirement - Anti-virus solutions must be actively running and cannot be disabled or altered.
Log Review Updates – SAQ A-EP, C, C-VT and D – Requirement #10TECHNICAL UPDATE
- Audit trails should be implemented to link access to system components to each individual user, in addition to establishing a process.
- All individual user access to cardholder data is to be included in audit trails.
- Log reviews should identify anomalies or suspicious activity, and logs should be reviewed daily.
Cardholder Data Updates – SAQ A-EP, C, C-VT, and D – Requirement #3TECHNICAL UPDATE
- Clarification of sensitive authentication data in memory is to be protected and documented.
Point-of-Sale Devices – SAQ B, B-IP, C and D – Requirement # 9BUSINESS PROCESS UPDATE
- Protect devices that capture payment card data via physical tampering and substitution of credit card.
- Maintain list of devices and periodically inspect devices for tampering.
- Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices.
Managing Service Providers – All SAQs – Requirement #12BUSINESS PROCESS UPDATE
- 12.8.5 New Requirement – Document which PCI DSS requirements are managed by each service provider, and which are managed by the merchant.
- 12.9 New Requirement - Service providers provide the written acknowledgement to their customers of services provided and security of card data.
SAQ UpdateBUSINESS PROCESS UPDATE
- Merchants accepting credit cards using multiple payment channels must complete multiple SAQs addressing each payment environment.
PCI 3.0 Boot Camp-March 2015