Updated PCI DSS Self Assessment Questionnaire (SAQ) version 1.1
Posted on Wednesday, February 06, 2008 by Bryan Johnson
The PCI Security Standards Council released the new 1.1 version of the Self Assessment Questionnaire (SAQ). The SAQ is a validation tool designed to help merchants demonstrate compliance with PCI DSS. With this release, there are are now four unique forms (SAQ A, B, C, D) that are designed to meet the specific needs of various business scenarios. Any SAQ submissions after April 30, 2008 must be completed using the new 1.1 version. Here are the four different versions:
- SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.
- SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
- SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
- SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
Here is some other helpful information:
- PCI SSC SAQ Summary: How it All Fits Together - visual representation.
- Instructions for Completing the SAQ - helps determine which SAQ is appropriate for your business.
- Navigating PCI DSS - Additional information about the 'intent' of PCI as well as some helpful guidance.
- Frequently Asked Questions
Here is the entire press release:
Qualified Security Assessors (QSA's) for PCI DSS Compliance
Posted on Wednesday, January 30, 2008 by Bryan Johnson
I recently interviewed Brian Serra from Accuvant about Qualified Security Assessors (QSA's). Brian is a CISSP, QSA and ISO: 277001 Lead Auditor. Accuvant is a security consulting firm that helps companies address complex information security challenges. The firms focus on four primary areas: Assessment, Compliance, Wireless and Security Technologies.
1. What is a QSA? QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. For example, all of Accuvant's QSA's are also ISO 27001 Lead Auditors. I myself am certified as a CHSP (HIPPA). There are over 100 QSA companies and individual QSA's must work for a company that maintains the PCI certification. In choosing a QSA, merchants will want to a firm that has similar processes/infrastructure as theirs.
2. What types of services do QSA's provide merchants? On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements will last somewhere between 2 and 6 months.
3. Are merchants required to work with a QSA to become PCI Compliant? No, Level 2-4 Merchants and Level-3 Service Providers use the PCI Self-Assessment Questionnaire to self-certify. Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company
4. What are the pros and cons of 'doing it yourself' versus hiring a QSA? QSA - Pros: Third-party validation which proves 'due diligence' Cons: Costs money. But that is not is not to say more money. Companies may end up spending more money doing it themselves when including the cost of internal resources and diversion from other profit generating projects. DIY - Pros: May be more economical. Cons - Difficult to get up to speed on all the PCI DSS requirements. Merchants may miss key areas or controls.
5. How much does it cost to hire a QSA and is it economical for all businesses? It depends on how mature the compliance program is at the particular business. The cost to make an application PCI compliant averages about $100k.
PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
Posted on Saturday, January 19, 2008 by Bryan Johnson
From the PCI Security Standards website:
The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005. The new SAQ is expected to be released in early '08.
The questionnaire is divided into six sections with a total of 12 requirements (sub-sections) all containing yes/no questions. Each section focuses on a specific area of security based on the requirements included in the PCI Data Security Standard. If a merchant can answer "Yes" or "N/A" to all questions in each section they are considered compliant with the self-assessment portion of the PCI Data Security Standard. If any questions that are answered as "No", merchants will need to address these vulnerabilities. There are a number of Approved Scanning Vendors (ASV's) that help merchants fill out the SAQ and provide the required quarterly network security and vulnerability scan. (Read more on Approved Scanning Vendors and security and vulnerability scans)
Here are six sections and 12 requirements:
Section 1: Build and Maintain a Secure Network.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Section 2: Protect Cardholder Data.
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Section 3: Maintain a Vulnerability Management Program.
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Section 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Section 5: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Section 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Other related posts:
PCI DSS Compliance basics for credit card security
PCI DSS Compliance and the cost of a credit card breach
Braintree solutions: The Smart Approach to PCI DSS Compliance
Vulnerability and security assessment scans for PCI DSS Compliance
Posted on Saturday, January 19, 2008 by Bryan Johnson
PCI DSS Compliance requires that merchants have comprehensive application vulnerability scans at least every quarter.
I reached out to ControlScan and SecurityMetrics, two leading providers in the industry, and asked them to help explain why scans are required, what protection they provide, what they cost and how to evaluate different providers. From ControlScan I spoke with CEO Joan Herbig and from SecurityMetrics, VP of Bus. Dev. Wenlock Free.
1. Why are IP scans required for PCI Compliance?
ControlScan: "The Payment Card Industry Data Security Standard requires that you scan all outward facing IP addresses. These IP addresses are not protected by the Fire Wall allowing a hacker to easily access the server and sensitive information through a an open port. The Payment Card Industry views threats from two perspectives: internal and external. The PCI Self Assessment questionnaire (SAQ) identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside."
SecurityMetrics: "At the 2007 MasterCard Intl. Security Symposium, MasterCard said, "9 of 10 compromises would have been prevented with regular vulnerability assessment." The reason compromises occur is because of software bugs which are exposed through your Internet-facing entry points, also known as external IP addresses. The name of the game is finding those bugs before the hackers do, and fixing them before they exploit them."
2. Beyond PCI DSS Compliance, what protection do scans provide merchants?
ControlScan: "The rules and requirements set by the PCI Security Council are meant to protect merchants from becoming victims of credit card fraud and to protect them from becoming another headline. The scanning of outward facing IP addresses is necessary in order to find vulnerabilities, or holes, where a Hacker could easily gain access to a merchant's servers. The remediation of these vulnerabilities ensures that merchants are providing customers with a secure environment for transactions. Many companies have gone out of business/lost their brand reputation due to one Hacking incident and the costs associated with the breach. Minneapolis and Texas have also adopted PCI Compliance into law."
SecurityMetrics: "Continuing the exploit discussion from above, the attitude towards PCI Compliance ought to be one of total risk mitigation rather than just "compliance". With this mentality, a "locked down" perimeter means much less of a chance that an organization will be hacked because the "bugs" or vulnerabilities they would normally see are presumably not there. For example, a hacker will use tools available on the Internet to scan for vulnerabilities (bugs) on a web site or app service, email server, FTP server, VPN endpoint or other external device. The hacker will then research the vulnerability report items to find scripts and other helpful info regarding that vulnerability. Then the hacker will use the info to gain root access or inject database commands or any one of a myriad of hacking methods."
3. How much do scanning services cost?
ControlScan: "Scanning services can range from $15 to $40 a month. One thing to keep in mind is that becoming PCI Compliant is more than just a scan. The PCI DSS is a set of 12 requirements that focus on specific areas of security. When evaluating which scanning vendor to use, do not assume that because you purchase a less expensive PCI scan that you are compliant."
SecurityMetrics: "Most merchants will pay $139.99 per year for full service PCI quarterly scanning and remediation help on all issues related to compliance including security policies and questionnaire assistance. The price is reduced as the IP count increases."
4. What are the differences among scanning vendors and what should merchants look for when choosing a provider?
ControlScan: "First of all, there are different types of scanning vendors. For example, a QSA or Qualified Security Assessor is certified to provide on-site remediation to Level 1 merchants, those who process over 6 million Visa or MasterCard transactions per year. An Approved Scanning Vendor is certified to provide scanning services to merchants processing less than 6 million Visa or MasterCard transactions per year. Many of these vendors focus on larger Level 2 and 3 merchants. Some vendors focus on small to midsized business, or Level 4 merchants. These merchants process under 20,000 Visa/MC transactions per year and make up the vast majority of businesses. There are vendors who only provide a scanning service and those that provide scanning and the Annual Self Assessment Questionnaire required for compliance. When evaluating different scanning vendors merchants should first look for an ASV that has experience dealing with their type of business. If the merchant is a small to midsized business, they should choose an ASV who is accustomed to serving Level 4 merchants. Merchant accounts should also make sure that the service they are purchasing meets all PCI DSS requirements and that the tools they are provided with are easy to understand as well as implement."
SecurityMetrics: "Merchants should research whether the vendor only provides scans or is a full-service provider. In other words, do they provide Payment Application consulting and auditing, PCI auditing and consulting with qualified auditors etc. Merchants should also find out whether the service allows for management of multiple IPs (if applicable) and offers unlimited re-testing and support calls for the same price. Finally, find out whether the provider has certified level 1 auditors on staff which can address complicated questions to real world PCI challenges.
Automatic update of credit card information for recurring billing merchants
Posted on Wednesday, January 16, 2008 by Bryan Johnson
One of the biggest problems for merchants that charge credit cards on a recurring basis is maintaining accurate credit card information on file. In any given year, roughly 50-70% of Visa cardholders will change their account information. This places a heavy burden on merchants to reach out to customers and capture the updated information.
There are a number of reasons credit card details change including bank mergers that result in new numbers, identify theft, balance transfers and the regular updating of the card's expiration date. Regardless of the cause, merchants face an uphill and expensive battle to deal with these changes. Eight years ago Visa started working on a program they call Account Updater (VAU). They created an automated system that directly interfaces with merchant accounts and updates customers credit card information. Here is how it works:
1. Merchants are enrolled in VAU through their participating Visa Merchant Bank.
2. Visa card Issuers submit electronic files with updates to Visa when a cardholder's account information changes.
3. Issuers are required to send these file updates within two business days, and are strongly encouraged to send them daily to ensure that account-on-file Merchants have the advantage of the latest authorization data.
4. The Merchants credit card information is sent to Visa. VAU processes inquiries against its database and provides responses to the Visa Merchant Bank.
5. Participating Merchants are required to update their customer account database within five business days after receiving VAU updates from their Visa Merchant Bank and to ensure that the updated database is used in future Visa transactions in accordance with Visa Account Updater Terms of Use.
Visa charges a nominal fee for the service which varies according to volume but is in the range of $.30 to $.50 per 'matched' file.
Related:
Braintree Account Updater Service
Alternative payments are getting greater scrutiny
Posted on Thursday, January 10, 2008 by Bryan Johnson
For the past few years there has been nothing but positive buzz about alternative payment types PayPal and Bill Me Later in the payment processing industry. By all measures their market penetration has been disruptive and impressive. Today for the first time that I've seen, Kelli Grant of the Wall Street Journal has a piece out Beware of Web-Pay Alternatives that focuses on some of the more potentially unappealing aspects of these payment types for consumers. Note, for PayPal, Kelli is highlighting PayPal Pay Later which is different from their standard offering.
Here are three reasons you may want to think twice before using one of these services:
Your Credit Score Could Take a Hit. If your goal is to get away from paying with plastic, be especially cautious about services like PayPal's Pay Later and Bill Me Later, which function as a line of credit. "Any new account, especially one that immediately carries a balance, is considered a risk on your credit report," said Gerri Detweiler, a credit adviser at Credit.com. Opening one new account could push a credit score of 707 down to 697 for six months, according to Fair Isaac Corp.'s FICO Score Simulator. Even worse: Your score could drop by as much as 100 points if you come close to maxing out the line of credit, said Ms. Detweiler. For someone planning to shop for a mortgage, home equity line of credit or other loan, the difference could lead to higher interest rates and thousands of dollars more in payments. Even if you aren't planning to make a big purchase, a drop in your credit score could prompt your creditors to raise the rates on your existing accounts. PayPal clearly discloses its line of credit as a credit product, as well as the terms and conditions before consumers apply, said spokeswoman Amanda Pires. Bill Me Later didn't respond to requests for comment.
You Will Pay High Interest Rates. If you carry a balance with alternate-payment services, you face exorbitant interest rates. PayPal's buyer-credit option charges a variable 22.75% annual rate, while Bill Me Later has a variable interest rate of 19.99%. For comparison's sake, standard credit cards carry an average variable rate of 13.89%, according to Bankrate.com. (For consumers with great credit, those rates could be much lower.)
You'll Get Weaker Protections. Security is frequently touted as one of the upsides to alternate-payment programs. After all, there is no credit-card number to steal. "But that means you won't have the same protections as if you were paying with a credit card," said Consumer Federation's Ms. Grant. "[Fraud] coverage is extremely limited, and whatever protections the service does give you are voluntary." When it comes to your credit card, federal law dictates what your liability will be if someone makes an unauthorized purchase. (At most, you will pay $50.) The law also protects a consumer's right to dispute charges on their account for incorrect billing and defective items, among other problems. Bill Me Later, eBillme and PayPal have zero-liability policies for unauthorized charges (no matter what method you use to pay), but their policies are somewhat weaker when it comes to disputes.
MasterCard partners with Microsoft and Monster to drive credit card acceptance
Posted on Monday, January 07, 2008 by Bryan Johnson
The major card brands Visa, MasterCard, American Express and Discover continue to drive usage by offering more reward programs. MasterCard’s latest partnership with Microsoft and Monster is targeted at getting small business owners to use their credit card for online advertising and recruiting. Card holders get a discount for the services they purchase.
MasterCard’s Easy Savings program already has companies such as Intuit, SurePayroll, websitepros, HRTools.com and others.
Participating merchants like it because it drive more business to their front door and MasterCard likes it because they become the card of choice in the consumers wallet.
MasterCard also recently partnered with the state of Illinois to offer 529 College Savings programs.
Credit Card Interchange
Posted on Saturday, January 05, 2008 by Bryan Johnson
Interchange is the wholesale pricing of Visa, MasterCard and their co-issuing financial institutions in the credit card processing industry.
Visa and MasterCard branded cards account for roughly 70% of all debit and credit cards in circulation. When financial institutions issue credit or debit cards to a consumer or business, they make the Interchange fee every time that card is used to purchase something. Visa and MasterCard, the co-issuers, make a very small margin on top of the financial institutions set fee. The financial institutions make roughly 80% of all credit card fees charged.
Businesses of course that accept credit cards as a form of payment pay these fees. Discover and American Express are non-bank cards meaning that they don't use the thousands of banks nationwide to issue their cards to consumers and businesses. Discover and American Express determine their fixed, almost non negotiate rate structures.
Discover recently announced that they will be changing their business model to be more like Visa and MasterCard and have a set Interchange structure that merchant service providers can mark up and then bundle with Visa and MasterCard credit card processing. The move is to try and broaden acceptance and simplify processing for merchants who will now only receive consolidated pricing and one monthly statement for Visa, MasterCard and Discover. American Express will still be separate.
The exact Interchange rate that is charged on a particular transaction depends on a number of variables. In fact, there are over 170 different interchange rates that are determined based upon the card type (e.g. debit, credit, rewards, corporate), business type (restaurant, retail, ecommerce, gas station, etc. ), acceptance method (swiped, internet, phone), settlement or batch time frame and what information is submitted with the transaction (e.g. Address Verification Service (AVS)). There are a few other more advanced variables that influence the Interchange rate.
Merchant account providers mark up the wholesale Interchange rates and offer merchants credit card processing services. To simplify the complexity of the Interchange structure, most merchant service providers will offer a 3-Tier pricing program. This means that a merchant will have one rate for swiped transaction, another for non-swiped cards and another for corporate cards. Sometimes a 4-Tier pricing structure is issued with the addition of a swiped debit card rate. The interesting thing about these pricing structures is that a there may actually be 40 different interchange rates that are charged to the merchant but the merchant account provider just buckets all of these rates into the three different categories.
Some merchant account providers may bucket Reward cards in the the second most expensive tier and another company may bucket them into the third and most expensive tier. That's why it's very challenging to compare rates from one provider to another.
Other related posts:
Where do credit card fees come from?
Innovation in credit card reward programs: 529 college savings rebates
Posted on Thursday, January 03, 2008 by Bryan Johnson
Illinois has partnered with MasterCard to offer a new innovative credit card rewards program for their Bright Start College Savings Program. Families can now use their Bright Start Futuretrust Mastercard card and receive 1% cash rebate to save and invest money tax free to pay for college expenses. It's the first and only 529 rewards program.
Bright Start makes a one-time $25 contribution upon the first use of the card as well as enhanced rebates at selected retails such as JCPenny 4%, Barnes & Noble 3%, Lands End 4%, Oversotock 3% and many more. This move highlights the ongoing high stakes effort by all payment providers, both conventional (Visa, MasterCard, AMEX & DISV) and new entrants (Google Checkout, PayPal, Bill Me Later, Revolution Money, Tempo) to create incentives for consumers and merchants to use their payment instrument as their preferred form of payment.
The new entrants have been vying for a piece of the payment acceptance market and are trying to get a critical level of wide spread acceptance as quickly as possible - or face the high probability of failure. Revolution Money, for example, has bet that their success in the market place will be driven by their lower fees to merchant accounts and for consumers their PayPal like features in the social media and blog space for small dollar payments.
It's an ongoing challenge to construct the proper balance of driving demand from both the consumer and merchant side. MasterCard's partnership with the State of Illinois demonstrates that the incumbent credit and debit card providers will continually heavily rely on driving their market dominance through consumer demand.
MasterCard Announces Increase to International Interchange Fees
Posted on Wednesday, December 19, 2007 by Bryan Johnson
Effective January 15th, 2008, MasterCard will raise three categories of it's international interchange.
- International Consumer: Interchange rates will increase between .24% and .05% basis points on transactions where a non U.S. consumer credit card is used at a U.S. based merchant.
- International Commercial: Interchange rates will increase .15% basis points on transactions where a non U.S. commercial credit card is used at a U.S. based merchant.
- Cross-Border Assessment: Rates will increase by .20% whenever the cardholder's country code is not the same as the merchant country code.
The European Union wasn't too pleased with the increase they announced for European merchants and have given MasterCard six months to drop the increase or else face a daily fine of 3.5% of daily global revenues? (Can they really do that?)
In years past Visa and MasterCard would announce interchange changes on an orderly schedule, usually in the spring. When announced, most credit card processing providers in the industry would attempt to capitalize on these increases and raise the margins they were getting from their customers. So for example if rates went up .20% basis points they would increase their rates .40% basis points, which in my opinion is not a fair practice.
It's understood that rate increases will be passed on but not added to. At the same time, this topic is very complicated so I don't want to oversimplify it. At the heart of the problem is the highly complicated interchange structure which consists of roughly 170 different rate categories. Read here for more detailed explanation of where credit card fees come from and how they are determined.
For large providers, because pricing changes must be made to the entire portfolio, averages are passed on to all the merchants. These international increases are a good example. Most merchants don't process a lot of international cards regularly so the interchange increases would have minimal impact on the credit card provider. But because it's logistically very challenging for the larger providers to drill down and evaluate each merchant's processing, averages are used to determine increases.
So when you receive your new few monthly credit card processing statements that you never read, look for the message at the top where a rate increase will probably be announced.
