If you are a business and you take card payments online you are required to complete a PCI-DSS self-assessment.
Why? And who actually completes these ridiculously long questionnaires?
What is PCI-DSS
Several different types of SAQ apply depending on your merchant level and the way you process payment card information. They start from a relatively short questionnaire up to over 200 quite technical questions.
- SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce transactions and mail/telephone order merchants. An example here would be someone using Shopify or eBay;
- SAQ A-EP: For e-commerce merchants that outsource their payment processing but not the administration of the website that links to it. Anyone who uses WordPress or Magento;
- SAQ B: For e-commerce merchants that don’t receive cardholder data but control the method of redirecting data to a third-party payment processor. Could also include WordPress or Magento users depending on set-up;
- SAQ B-IP: For merchants that don’t store cardholder data in electronic form but use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions. Anyone who has a payment terminal/card reader that talks to a computer, phone or tablet;
- SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function. Anyone with an app where you can type in the card number;
- SAQ C: For merchants with payment application systems connected to the Internet (no electronic cardholder data storage). Anyone who uses a booking system installed on their computer;
- SAQ D: For all other merchants not included in SAQ types A–C. Anyone who is confused as to which one they should complete;
- SAQ P2PE: For merchants that use point-to-point encryption. It’s therefore not applicable to organisations that deal in e-commerce.
What is wrong with PCI-DSS?
The main issue I see today with the PCI-DSS standards is that for many retailers they are not achievable. Small retailers with limited IT skills and budget shouldn’t be burdened with the technical overhead of PCI.
Instead, the security aspects should be more than covered in application and device certification. What’s more interesting is that application and device certification is already quite rigorous.
It would make more sense to have retailers complete a short online course 20-30 minutes of e-learning each year covering the do’s and don’ts of policy and process than having them promise they’ve installed a recent antivirus.
Why is it a scam?
Other than the basics of not writing down card numbers and some of the non-technical process PCI-DSS is generally designed to catch merchants out. There are reams of provisions that no normal independent retailer today would likely ever be able to fulfil without significant investment.
All this to hedge risk in payment systems, software and hardware that should be secure by design without needing extra work.
The content in the PCI-DSS questionnaire in our opinion won’t really make any difference to the security of a transaction. For example, having a firewall on your network, for example, is pointless unless it is correctly and professionally installed, configured and maintained.
Card networks, processors etc push out these questionnaires with the sole intent of trying to shift some of their responsibility for security if things go wrong. If a merchant hasn’t faithfully completed the questionnaire they are an easy scapegoat.
So should you fill them out?
Well yes probably. While we think they are a scam, you’re taking card payments so you’re now part of it and if possible you should reduce your exposure as much as possible.
P.s. Please don’t take this article as formal advice, it’s just a warning that if you can be blamed you will.