The PCI SAQ Problem: Versions Are Much Too Incomplete

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

The shortened versions of the Self-Assessment Questionnaire (SAQ) have only one problem: They are incomplete. There are PCI requirements every merchant should meet beyond what is specified in any shortened SAQ. Any retailer that limits its PCI compliance effort to completing one of the shortened SAQs trades off security for compliance. That is, any merchants who think they need only meet the requirements of a shortened SAQ risk a data compromise that can result in ruinous fines and land them in the headlines for reasons they would rather not be there.

The SAQ is an excellent starting point. But it is not (and does not promise to be) an all-inclusive approach to achieving—not just validating—PCI compliance. In a previous column, I noted the PCI Council's point that slavishly (my terminology) completing a SAQ may not be enough to be PCI compliant. As the Council states in the SAQ Instructions and Guidelines: "According to payment brand rules, all merchants and service providers are required to comply with the PCI DSS in its entirety."

What is a merchant to do? On the one hand, they may qualify to use a shortened SAQ with as few as 12 items. On the other hand, the same PCI Council that developed the SAQ still expects merchants to comply with each of the 280-plus requirements of PCI. Assuming these conflicting thoughts haven't caused a merchant's head to explode, I would like to offer a solution.

That solution is to use the SAQ as a guideline. It is a starting point. Merchants need to go beyond their SAQ's requirements. They need to take advantage of their knowledge of their operations and network to include other PCI requirements they should meet to secure their systems and protect their business.

(Related story: New PCI P2PE Rules Drop Compliance Requirements To 2)

Merchants who qualify for SAQ A could outsource their card processing to a PCI-compliant service provider. SAQ A applies only to card-not-present situations and, as with all the shortened SAQs, the merchant stores no electronic cardholder data. The typical SAQ A merchant hosts a Web site that at some point redirects the customer to the processor's hosted order page where all cardholder data is processed. SAQ A merchants, therefore, rely entirely on their PCI-compliant processor for all card processing.

SAQ A includes 12 questions that cover parts of only two PCI requirements: parts of Requirement 9, for securing any paper records, and Requirement 12.8, for managing the service provider. That's it. Because the merchant has a Web site, I would suggest it is a glaring vulnerability that is not addressed currently by the SAQ. It is not only I who thinks this way. Visa Europe issued a bulletin in April 2010 warning about attacks on SAQ A-type merchants.Visa noted that "Merchants using this type of configuration are being targeted by criminals who gain unauthorized access to the merchant's Web site by directly exploiting vulnerabilities in either a merchant's Web site or in the merchant Web server. Once compromised, hackers will modify the merchant's code, which links to the hosted payment page, redirecting customers to a counterfeit page that looks identical to the third-party's authentic hosted payment page."

That is, the bad guys hack your server and instead of directing your customers to your payment processor, you end up sending them to—or at least sees the transaction. Now your customers' card data has been well and truly breached.

Currently, SAQ A does not require that the merchant's Web site be located behind an effective firewall (Requirement 1) or that the server be scanned (internally and externally) and penetration tested (Requirement 11) to identify vulnerabilities that make the bad guys' job easier. SAQ A merchants should comply at least with these two additional PCI requirements. It should not matter that these are not in the SAQ. Just because merchants do not store cardholder data does not mean they are invulnerable to a cardholder data breach.

I know some SAQ A merchants do have their servers behind an effective firewall, and I even know a few who perform quarterly internal and external scans. None of these requirements is in their SAQ, but they take these steps because they want to be secure.

SAQ B is for merchants who use dial-out POS terminals or imprinters (a.k.a., zip-zap machines or knuckle-busters). This SAQ has 29 questions, and it includes all the PCI requirements in SAQ A plus three more: parts of Requirement 3, for protecting cardholder data and not storing sensitive authentication data like the mag stripe; one part of Requirement 4, so you don't E-mail or text unencrypted PANs; and parts of Requirement 7, which restrict data and system access to staff whose job requires it. There also are additional subsections of Requirement 12 in SAQ B covering security policies and staff training.

I'd say SAQ B is pretty complete. If a merchant only has POS terminals connected to dial-out phone lines (no Internet, remember), then this SAQ looks to do a pretty good job. I would add one item that is good security even though it appears nowhere in PCI today: requiring regular physical inspection of POS devices to identify evidence of tampering.

POS devices are vulnerable to tampering and even replacement by criminals. Smart retailers train their staff and managers to report when they observe changes ("Golly, the terminal wasn't green yesterday, was it?"). Really smart retailers monitor their POS devices with an automated system that alerts them when a device is turned off or disconnected.The Council should include physical inspection and monitoring of POS devices in PCI. It would fit reasonably well in either Requirement 9 (physical access) or Requirement 10 (monitoring and testing). In the meantime, checking POS devices is good security, and it should be part of every merchant's compliance plan.

SAQs C and C-VT can apply to merchants who use the Internet to process transactions. In next week's column, I'll suggest PCI requirements beyond what are already in those SAQs.

Keep in mind that all of this is one QSA's experience and opinion. Merchants should look at their particular situation, network and infrastructure. As the saying goes, "Your mileage may vary."

Should the PCI Council revise the SAQs to reflect some of these additional requirements? I'll leave that decision to the Council and the card brands. The simplified SAQs are collectively a great innovation, and they have helped make PCI compliance more approachable for many small and midsize businesses. By offering an incentive (easy validation), the Council also caused many merchants to stop storing electronic cardholder data. This result alone greatly reduces the chance of a data breach.

My only regret is that the SAQs are not positioned as guidance or a compliance starting point. Instead, some merchants interpret them as the limit of their PCI compliance effort. Validation is not the same as compliance. At one level, validation is once a year and compliance is what merchants do every day. At another level—and that is what this column is about—validation with a shortened SAQ may look good on paper, but compliance has always meant complying with all of PCI DSS.

Just because the Council may not include some PCI requirements in a particular SAQ does not mean merchants have a free pass on PCI. If a merchant suffers a data breach, I would not plan on the "But that requirement wasn't in my SAQ" defense being very effective. Next week, we'll look at the remaining SAQs.

What do you think? Do you use a shortened SAQ? Does your company look beyond the SAQ or is that all you do for PCI compliance? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].