PCI Data Security Standards is a set of requirements for keeping the payment card data safe from hackers to deliver safe, secure, easy and flexible payment transaction facility to the card holders.
The first step in making a client PCI DSS compliant is by creating the scope of the environment where the card data is processed/stored by the client. To build the scope we need to find the client type as to if it is merchant, service provider or acquirer. Depending on the client type the card brands have setup certain levels for the merchants and service providers as per their annual number of transactions. The client has to answer a Self Assessment Questionnaire (SAQ) regarding their payment card processing/storing environment, which is a simple yes or no questionnaire. A GAP assessment is performed and documented by a professional to find the issues with the existing environment. Depending on this GAP assessment, Remediation process is performed and documented to make the client compliant and thereby ensuring the safety of the payment card data processing/storing environment. At the end a Report of Compliance (ROC) and Attestation of Compliance (AOC) is created which has to be counter signed by a Qualified Security Assessor (QSA), certified by the PCI DSS, thereby confirming that the particular client is compliant with the PCI DSS standards.
The Self Assessment Questionnaire (SAQ), as the name suggests, is designed for the merchants/service providers/acquirers to be answered by themselves. There are basically five SAQs, namely A, B, C, C-VT and D, which could be answered by the clients depending on how they handle the acquired payment card details. An initial glance on SAQ will puzzle any client since there are many technical questions involved. The client is expected to have a clear knowledge of the requirements implied by the questions irrelevant of how technical they are. However, when the clients are service providers or acquirers, they will have enough resources (like an IT security team) to deal with the technical side of the questionnaire.
This is an issue when the client is a merchant. The PCI DSS council actually divide the merchants into four levels depending on their number of transactions per year. Level one or two are the merchants with largest number of transactions per years and in most cases, they are well protected. Level 4 merchants, with the smallest number of transactions per year apparently have the highest risk and have to answer similar SAQ with no or less technical support. The cost and time needed to educate any merchant regarding the technical questions in their relevant SAQ is very high and for a level 4 customer with limited funds, hiring a consultant to assist with the SAQ will be expensive as well.
There is an emerging need for a new framework which allows any merchant to answer the SAQ with least hassle. The merchant will be well aware of their business and the modes of payment in the company/shop. By gathering the information regarding the merchant payment procedure and the payment process environment, we can analyse whether most of the requirement that have to be met by the merchant to become PCI compliant are fulfilled or not. We could also use the same technique to rule out the requirements that are not applicable for a particular customer. For example, if a merchant confirms that he has no wireless connectivity in the shop/company, then there is no need for a perimeter firewall there which is an irrelevant requirement to that particular merchant. The new framework should have questions which are plain, simple, and regarding the business environment and payment procedures, the merchant performs. It also should leverage more interaction with the merchant via multimedia data (pictures and videos), assisting and educating them to get a better perspective of the technical questions.
The new framework should keep the intention of the SAQ as to what requirements have to be achieved at the end for the merchant to be compliant. The framework will never be an alternative to the SAQ, but it will be a different approach to the same. It will assist the merchant to ’walk through’ the hard technical questions in their relevant SAQ in an easy and refined manner. The framework should include machinery that populates the requirements from the answered questions at the end and analyse them to see if the merchant is compliant or not.
Such a framework would not only help the merchants to get rid of answering a plain text questionnaire but also cuts down the expense of hiring an analyst to assist him in the procedure. This framework will be of a great boon for the merchants, especially to the level 4 merchants.