QualysGuard PCI Compliance Solution Provides Full Support for All Types of New Self-Assessment Questionnaire (SAQ) Version 1.1 for Both Merchants and Service Providers
Qualys, Inc. today announced an upgrade to its QualysGuard® PCI on demand compliance solution with the new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) in February 2008. The QualysGuard PCI implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.
The SAQ is a validation tool used primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands—Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International — to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.
“Issuing the latest self assessment questionnaire is another step the PCI Security Standards Council is taking to ensure that all merchants and service providers have options in determining their compliance strategy,” said Bob Russo, general manager, PCI Security Standards Council. “Having multiple SAQs available will streamline the process and make it easier for stakeholders to determine their compliance gaps and take action to ensure full compliance with the Standard.”
The SAQ, version 1.1 is now available at
https://www.pcisecuritystandards.org/tech/saq.htm and consists of four unique forms to meet various business scenarios. Each merchant completing the SAQ version 1.1 selects the questionnaire that best represents their environment, based on the descriptions below:
SAQ Validation Description SAQ Number of Questions
Type
1 Card-not-present A 11
(e-commerce or mail/
telephone-order)
merchants, all
cardholder data
functions outsourced.
This would never apply
to face-to-face merchants.
2 Imprint-only or B 21
stand-alone terminal
merchants with no
electronic cardholder
data storage.
3 Merchants with POS C 38
systems connected to
the Internet, no
electronic cardholder
data storage.
4 All other merchants D 226
(not included in Types
1-3 above) and all
service providers defined
by a payment brand as
eligible to complete an SAQ.
QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implantation or SAQ 1.1 are available at:
http://www.qualys.com/docs/QG_PCI_GSG.pdf within the PCI Questionnaires chapter.
In this upgrade, QualysGuard PCI now supports both the previous SAQ version 1.0, as well as the four forms of the new SAQ version 1.1, allowing merchants to choose which version they wish to complete. According to the PCI SSC, after April 30, 2008, the older SAQ version 1.0 will no longer be accepted for compliance validation. From that date forward, all merchants will be required to use the new SAQ version 1.1.
