Learn About SAQ D PCI Compliance for Service Providers and Merchants
PCI DSS SAQ D is a condition of eligibility for merchants and accepted service providers that do not meet other SAQ (A, A-EP, B, B-IP, C, C-VT, or P2PE) criteria.
Require merchants and service providers eligible to complete SAQ D to thoroughly review the applicable requirements, follow all required policies, procedures, processes, and practices, and then complete the accompanying Attestation of Compliance (AoC).
It is also important to note that PCI SAQ D is the most comprehensive of all Self-Assessment Questionnaires, as it includes provisions for all of the PCI DSS requirements. While merchants and service providers are allowed to use the phrase “not applicable” in the fields within SAQ D, there is still a lot of work to be done to align.
If you are a service provider or merchant that stores credit card data, PCI SAQ D will apply to you. Service providers that process less than 300,000 cards annually can use the SAQ D form or obtain a Report on Compliance (ROC).
However, service providers that process more than 300,000 cards annually must undergo an on-site PCI DSS audit and obtain a Report on Compliance (ROC).
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.
Who qualifies as service providers?
Service providers are business entities directly involved in the processing, storage, or transfer of cardholder data on behalf of another company. Besides, service providers include companies that provide services that control or may affect cardholder data security.
If a service provider manages card data, it must comply with PCI DSS to ensure data protection. Here are some situations that will allow a service provider to be PCI compliant:
- In case the service provider manages the card information on behalf of another organization.
- If the service provider manages security devices used in another organization’s cardholder data environment or provides related services
- If it is a service provider that hosts a company’s e-commerce system/website
Generally, if a company manages card data at any stage, it must be fully compliant with PCI DSS.
PCI SAQ D is valid for all types of merchants and service providers. Because of this broad scope, the easiest way to find out if SAQ D is right for you is whether or not you store cardholder data digitally. If you are storing cardholder data, you must fill out the SAQ D form.
Another question you should ask is whether other SAQs apply to you. SAQs have precise criteria. Therefore, if your organization does not meet any additional SAQ questionnaire requirements, you must complete SAQ D.
Another main reason for completing SAQ D is that you are a Service Provider. Service Providers do not need to look at the criteria of other SAQs as they must fill in the SAQ D form by default, as there are no other SAQ options for service providers.
To review all PCI SAQ types, you can refer to our PCI DSS SAQ article.
What are the requirements for PCI SAQ D?
There are 329 questions in total that you need to answer in PCI DSS SAQ D. These questions are grouped and divided according to 12 different PCI DSS requirements. It made it a little easier to answer and reach these questions.
Additionally, it would help if you remembered that the questions on the SAQ D form are the same for merchants and service providers.
Also, you can answer each question as “No,” “Yes,” “Compensating Control,” or “Not Applicable” (Not Applicable). The survey also includes details on addressing a particular issue and making it consistent with your organization if you answer “No” to any of the questions.
SAQ D covers 12 of the PCI DSS requirements as follows:
- PCI DSS Requirement 1: Set up and maintain a firewall configuration to protect data
- PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- PCI DSS Requirement 3: Protect stored cardholder data
- PCI DSS Requirement 4: Encrypt cardholder data when transmitted over open, public networks
- PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software
- PCI DSS Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
- PCI DSS Requirement 8: Identify and verify access to system components
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 10: Monitor all access to network resources and cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
Note that although many organizations that have completed SAQ D must comply with all requirements, some requirements may not apply to some organizations with precise business models.
A quarterly external network vulnerability scan
Service providers and merchants should have their networks scanned by the PCI Approved Scanning Provider (ASV) for vulnerabilities at least annually and after significant changes.
Merchants and service providers who use segmentation to separate the cardholder data environment from other networks must perform segmentation control and penetration testing every six months and after any changes in segmentation controls/methods.
Such penetration testing may be performed by a qualified internal source or a third party. Although it is not expected to be a QSA or ASV, if internal resources are used, the person or institution performing the test must be independent.
The purpose of penetration test checks and segmentation methods is to verify that the cardholder data environment is protected from unauthorized access.
A quarterly internal network vulnerability scan
Internal network vulnerability scans for PCI SAQ D are also expected to be performed quarterly. Scanning for network vulnerabilities locally is a scan similar to what motion detectors do in your home.
Suppose an attacker can exploit an external network vulnerability to gain unauthorized access to a local network computer. In that case, they can also target other devices and networks within the corporate network from the newly acquired local network attack point.
Service providers must conduct regular internal scans and correct findings to help avoid the extent and severity of a breach. There are several methods available to help service providers meet their internal vulnerability scanning requirements. As an example, you can:
- You can select ASV or another service provider with a built-in vulnerability scanning device.
- You can install an open-source network vulnerability scanning tool.
- You can purchase licensed network scanning tools.
Note that the device you use must be installed by a professional even after purchasing or downloading it. Support is usually included when you buy a machine.
If you want to use the open-source scanning software, you may need to spend more time searching online forums for best practice configuration tips.
PCI SAQ D for Merchants
SAQ D for merchants is valid for merchants that do not meet other SAQ criteria. Examples of PCI SAQ D merchant environments include, but are not limited to:
- E-commerce firms that allow cardholder information on their websites;
- Merchants that store cardholder data electronically;
- Companies that do not store cardholder data electronically but do not meet the criteria of another SAQ type;
- Merchants that can meet the requirements of another SAQ type but have additional requirements for PCI DSS related to their environment.
Some examples of the questions you need to answer in PCI SAQ D:
Here are some questions you need to answer for SAQ D, which has 329 questions:
- Is there a formal process to validate and test changes to all network connections, firewall, and router configurations?
- Are default passwords changed during setup?
- Does all cardholder data stored meet the requirements defined in the data retention policy?
- Can only personnel with a valid business need to see the PAN?
- Is PAN data masked when shown?
- Is all the information on the magnetic stripe on the back of a card stored on a disk or elsewhere after authorization?
- Is information security included in the software development lifecycle?
- Are access control systems in place in all system components?
- Is there a mechanism to find vulnerabilities?
- Are there quarterly external network vulnerability scans?
- Is information from reliable outside sources used for vulnerabilities?
- Do authorized parties approve the required privileges?
- Is multi-factor authentication used for remote network access?
These questions often come with a list of expected tests, such as observing processes, reviewing policies and procedures, or viewing data sources.
It is essential to pay attention to these because if you do not meet or understand a question’s requirements, the expected answer list provides the actions you can take to respond appropriately to the questions.
How is the PCI DSS Self-Assessment Questionnaire D completed?
There are several answers to each question on the SAQ D form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.
You can complete the PCI SAQ D form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that your environment’s scope is defined correctly and meets the eligibility criteria for the SAQ you are using.
- Assess your environment for compliance with applicable PCI DSS requirements for SAQ D.
- Complete all required sections of the SAQ D form.
- Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.
Attestation of Compliance (AOC) Form
The Attestation of Compliance (AOC) form is the final report of the audit performed by a Qualified Security Assessor to ensure that the business is compliant with the PCI. Merchants and service providers may show this form as proof of their PCI DSS compliance.
Additional security tips for service providers and merchants
Segment networks: Separating the network containing card data from the rest of your network will save you a lot of time and effort in your PCI compliance initiative.
Establish your policies and procedures: Ensure all security policies are properly documented and updated, as they will allow you to maintain security practices and reduce liability in the event of a breach.
Work with an expert: If you are unfamiliar with PCI DSS or general security practices, it would be a smart idea to hire a qualified security consultant and understand what to do.