PCI SAQ D for Service Providers and Merchants

Learn About SAQ D PCI Compliance for Service Providers and Merchants

PCI DSS SAQ D is a condition of eligibility for merchants and accepted service providers that do not meet other SAQ (A, A-EP, B, B-IP, C, C-VT, or P2PE) criteria.

Require merchants and service providers eligible to complete SAQ D to thoroughly review the applicable requirements, follow all required policies, procedures, processes, and practices, and then complete the accompanying Attestation of Compliance (AoC).

It is also important to note that PCI SAQ D is the most comprehensive of all Self-Assessment Questionnaires, as it includes provisions for all of the PCI DSS requirements. While merchants and service providers are allowed to use the phrase “not applicable” in the fields within SAQ D, there is still a lot of work to be done to align.

If you are a service provider or merchant that stores credit card data, PCI SAQ D will apply to you. Service providers that process less than 300,000 cards annually can use the SAQ D form or obtain a Report on Compliance (ROC).

However, service providers that process more than 300,000 cards annually must undergo an on-site PCI DSS audit and obtain a Report on Compliance (ROC).

See Also: Choosing the Right PCI DSS SAQ

You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.

Who qualifies as service providers?

Service providers are business entities directly involved in the processing, storage, or transfer of cardholder data on behalf of another company. Besides, service providers include companies that provide services that control or may affect cardholder data security.

If a service provider manages card data, it must comply with PCI DSS to ensure data protection. Here are some situations that will allow a service provider to be PCI compliant:

  • In case the service provider manages the card information on behalf of another organization.
  • If the service provider manages security devices used in another organization’s cardholder data environment or provides related services
  • If it is a service provider that hosts a company’s e-commerce system/website

Generally, if a company manages card data at any stage, it must be fully compliant with PCI DSS.

PCI SAQ D is valid for all types of merchants and service providers. Because of this broad scope, the easiest way to find out if SAQ D is right for you is whether or not you store cardholder data digitally. If you are storing cardholder data, you must fill out the SAQ D form.

Another question you should ask is whether other SAQs apply to you. SAQs have precise criteria. Therefore, if your organization does not meet any additional SAQ questionnaire requirements, you must complete SAQ D.

Another main reason for completing SAQ D is that you are a Service Provider. Service Providers do not need to look at the criteria of other SAQs as they must fill in the SAQ D form by default, as there are no other SAQ options for service providers.

To review all PCI SAQ types, you can refer to our PCI DSS SAQ article.

What are the requirements for PCI SAQ D?

There are 329 questions in total that you need to answer in PCI DSS SAQ D. These questions are grouped and divided according to 12 different PCI DSS requirements. It made it a little easier to answer and reach these questions.

Additionally, it would help if you remembered that the questions on the SAQ D form are the same for merchants and service providers.

Also, you can answer each question as “No,” “Yes,” “Compensating Control,” or “Not Applicable” (Not Applicable). The survey also includes details on addressing a particular issue and making it consistent with your organization if you answer “No” to any of the questions.

SAQ D covers 12 of the PCI DSS requirements as follows:

Note that although many organizations that have completed SAQ D must comply with all requirements, some requirements may not apply to some organizations with precise business models.

A quarterly external network vulnerability scan

Service providers and merchants should have their networks scanned by the PCI Approved Scanning Provider (ASV) for vulnerabilities at least annually and after significant changes.

Penetration test

Merchants and service providers who use segmentation to separate the cardholder data environment from other networks must perform segmentation control and penetration testing every six months and after any changes in segmentation controls/methods.

Such penetration testing may be performed by a qualified internal source or a third party. Although it is not expected to be a QSA or ASV, if internal resources are used, the person or institution performing the test must be independent.

The purpose of penetration test checks and segmentation methods is to verify that the cardholder data environment is protected from unauthorized access.

A quarterly internal network vulnerability scan

Internal network vulnerability scans for PCI SAQ D are also expected to be performed quarterly. Scanning for network vulnerabilities locally is a scan similar to what motion detectors do in your home.

Suppose an attacker can exploit an external network vulnerability to gain unauthorized access to a local network computer. In that case, they can also target other devices and networks within the corporate network from the newly acquired local network attack point.

Service providers must conduct regular internal scans and correct findings to help avoid the extent and severity of a breach. There are several methods available to help service providers meet their internal vulnerability scanning requirements. As an example, you can:

  • You can select ASV or another service provider with a built-in vulnerability scanning device.
  • You can install an open-source network vulnerability scanning tool.
  • You can purchase licensed network scanning tools.

Note that the device you use must be installed by a professional even after purchasing or downloading it. Support is usually included when you buy a machine.

If you want to use the open-source scanning software, you may need to spend more time searching online forums for best practice configuration tips.

PCI SAQ D for Merchants

SAQ D for merchants is valid for merchants that do not meet other SAQ criteria. Examples of PCI SAQ D merchant environments include, but are not limited to:

  • E-commerce firms that allow cardholder information on their websites;
  • Merchants that store cardholder data electronically;
  • Companies that do not store cardholder data electronically but do not meet the criteria of another SAQ type;
  • Merchants that can meet the requirements of another SAQ type but have additional requirements for PCI DSS related to their environment.

Some examples of the questions you need to answer in PCI SAQ D:

Here are some questions you need to answer for SAQ D, which has 329 questions:

  • Is there a formal process to validate and test changes to all network connections, firewall, and router configurations?
  • Are default passwords changed during setup?
  • Does all cardholder data stored meet the requirements defined in the data retention policy?
  • Can only personnel with a valid business need to see the PAN?
  • Is PAN data masked when shown?
  • Is all the information on the magnetic stripe on the back of a card stored on a disk or elsewhere after authorization?
  • Is information security included in the software development lifecycle?
  • Are access control systems in place in all system components?
  • Is there a mechanism to find vulnerabilities?
  • Are there quarterly external network vulnerability scans?
  • Is information from reliable outside sources used for vulnerabilities?
  • Do authorized parties approve the required privileges?
  • Is multi-factor authentication used for remote network access?

These questions often come with a list of expected tests, such as observing processes, reviewing policies and procedures, or viewing data sources.

It is essential to pay attention to these because if you do not meet or understand a question’s requirements, the expected answer list provides the actions you can take to respond appropriately to the questions.

How is the PCI DSS Self-Assessment Questionnaire D completed?

There are several answers to each question on the SAQ D form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.

You can complete the PCI SAQ D form by following the steps below in order:

  1. First, determine the applicable SAQ for your environment.
  2. Confirm that your environment’s scope is defined correctly and meets the eligibility criteria for the SAQ you are using.
  3. Assess your environment for compliance with applicable PCI DSS requirements for SAQ D.
  4. Complete all required sections of the SAQ D form.
  5. Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.

Attestation of Compliance (AOC) Form

The Attestation of Compliance (AOC) form is the final report of the audit performed by a Qualified Security Assessor to ensure that the business is compliant with the PCI. Merchants and service providers may show this form as proof of their PCI DSS compliance.

Additional security tips for service providers and merchants

Segment networks: Separating the network containing card data from the rest of your network will save you a lot of time and effort in your PCI compliance initiative.

Establish your policies and procedures: Ensure all security policies are properly documented and updated, as they will allow you to maintain security practices and reduce liability in the event of a breach.

Work with an expert: If you are unfamiliar with PCI DSS or general security practices, it would be a smart idea to hire a qualified security consultant and understand what to do.

You can view the PDF form of the PCI Self-Assessment Questionnaire D for merchants and Service Providers here.

Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!