If you’re in the Payment Card Industry (PCI), you’ll be familiar with a long set of assessment questions called the Self Assessment Questionnaire (SAQ) D. It is required for merchants/ service providers, and focuses on safeguarding electronic card data that service providers store, process, and use for transmitting.
A service provider is an organization or entity which is directly involved in processing, storing, and transmitting data of a cardholder on behalf of another business, including companies that are providing services which control or could impact the security of the data.
To ensure that the data is protected, the service provider that is handling the card data is required to be compatible with the PCI DSS. For example, if a service provider offers managed firewalls that have been used in another cardholder’s data environment.
Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) D is the longest SAQ, mostly because it deals with securing electronic card data. It’s vital that businesses secure this data, which is why the process for filling out this SAQ is extensive.
PCI SAQ D Requirements
- Build and maintain a firewall configuration to protect the data.
- Avoid vendor-supplied defaults for passwords and other security parameters
- Safeguard stored cardholder data
- Encrypt cardholder data transmission across open and public networks
- Secure all systems against malware and update anti-virus software regularly
- Develop and uphold secure systems and applications
- Shield cardholder data access according to business requirements
- Identify and inspect access to the system components
- Restrict physical access to cardholder data
- Monitor all access to cardholder data
- Test security systems and applications regularly
- Keep a policy that ensures information security for all personnel
Network Vulnerability Scans
PCI DSS SAQ D requires that internal vulnerability scans should be sustained quarterly. Internal vulnerability scans are looking for network vulnerabilities locally. Service providers must regularly perform internal scans, and correct any findings to prevent the scope and intensity of a breach.
Penetration Testing
Service providers who use segmentation to detach cardholder data environments from other networks must be performing penetration testing at least every 6 months, and also after changes to segmentation methods.
For assistance in implementing PCI DSS Compliance, developing reporting and monitoring policies and procedures to help prevent data breaches, please do not hesitate to contact Agilient.
Author: Mahdi Kobeissi, Cyber Security Consultant