QSA Self Assessment Support – Who is this service for?
- Merchants or Service Providers that are able to self-assess their PCI compliance status;
- Existing Self-Assessment customers that need to review the Self-Assessment Questionnaire (SAQ) they are completing to confirm it is still correct for their environment;
- Customers who have taken over the assessment process from another party and need assurance that the self-assessment is correctly identified.
Click to View
What are the benefits?
There are a wide range of SAQs available to addresses a confusing range of payment channel options:
- E-Commerce web applications with a variety of integration options;
- Use of PEDs (Pin Entry Devices), either a standalone connected device or as part of a POS (Point of Sale) system;
- Payment applications, including virtual payment terminals provided by a third party;
- Legacy systems that interact with Cardholder data;
- Interactions with third parties for services such as hosting, telephony or physical security that come into contact with Cardholder data.
To ensure that the correct documentation is being completed, it’s important that the review process is thorough and considers all impacts of cardholder data in the environment.
The QSA team will complete a detailed review of current documentation and network information to determine in-scope systems and the correct SAQ that needs to be completed based upon the payment channels identified.
This review includes on-site interviews with key staff, and observations of processes and systems in place to accurately determine the correct SAQ that is applicable to the environment.
What happens next?
An initial on-site review is completed to cover:
- Scope of the Cardholder Data Environment (CDE) reviewed to confirm all applicable people, processes and systems are included in the assessment process;
- Review of customer data-flows diagrams (or the production of these if necessary), to fully identify all touch points for cardholder data;
- De-scoping recommendations to simplify compliance requirements and potentially reduce costs to the customer.
Dependant on the payment channels in use, interviews will need to be conducted with:
- IT staff (internal or external);
- Developers (if the customer develops software / websites that accept cardholder data);
- Operational staff involved with manual processing of cardholder data (such as order forms or phone calls);
- Third parties providing services for the customer in support of the CDE.