Welcome to installment number four on the path to PCI compliance. Previously, we reviewed the 12 PCI requirements, discussed the SAQ and AOC and how different card payment solutions effect which SAQ you should follow. By way of a reminder, SAQ is Self-Assessment Questionnaire and AOC is Attestation of Compliance which are one in the same form. Today we’ll explain how you can submit your SAQ and AOC to your card processor.
The SAQ and AOC must be submitted on an annual basis. The due date will coincide with the month you originally submitted your first SAQ. Of course, many of the requirements have much shorter time-intervals which require you to continually track and manage the controls that are in place.
There are several ways to submit your SAQ and AOC. For NISC Members, the SAQ and AOC is submitted through First Data, who provides three main methods of submission. You may recall how we compared the PCI-DSS process to the April 15 Federal tax submission – same thing here. You can “e-file” using First Data’s free Clover Security Portal, which is by far the simplest and most efficient. You can also download, print and email or snail-mail the SAQ and AOC documents. Or, you can hire a Qualified Security Auditor (QSA), just like you would hire a tax advisor, who can submit it for you, or at least help you fill out the necessary paperwork to “e-file” or manually submit it to First Data. Each approach has its benefits. With level 3 and level 4 merchants – every NISC Member falls into one of those two levels – all that is required is the SAQ and AOC. Hiring a QSA to assist in the process is optional.
Once you have submitted the SAQ and AOC the first time, subsequent annual assessments should be relatively simple to demonstrate as all of the controls remain in place. Because the culture of security is rising more and more to the front of our minds, the daily, weekly and monthly tasks for maintaining compliance should become easier as time goes on.
By looking at the bigger picture, you can now see the importance of keeping all of the requirements in place and staying on top of significant changes in your environment that could affect the scope of the CDE should there ever become a need for an audit. In that case, an auditor will ask you about something like requirement 12.1: Is a security policy established, published, maintained, and disseminated to all relevant personnel? You will need to produce evidence that the answer is yes. Can you do that today?
QSA’s are available to assist if you need outside help, but at the end of the day it is you that will need to answer the questions in much the same way you are responsible for your taxes.
We will be wrapping up this series with the final installment soon. We hope these blogs are proving helpful to you as you continue on your journey to PCI compliance!