The PCI DSS Self Assessment Questionnaire, or SAQ, is supposed to be fairly simple way to report on your organizations compliance with the PCI DSS requirements. For those of us that have been working in PCI for a while, completing an SAQ is a simple task. Comparing an organization to the complete PCI DSS requirements is another thing completely and can be fairly complex. But for people that have not been exposed to PCI, even completing an SAQ accurately can be daunting.
There are a few different types of SAQ, each aimed at a specific organizations based on their total amount of annual transactions. The questions are high level and more basic than those in the full PCI DSS requirements and aim to confirm that the organization is following what’s prescribed in the 12 sections of the full standard without requiring that all organizations perform an audit against the entire PCI DSS requirements.
Having helped many organizations with their security and compliance initiatives, I have seen many SAQ’s that were not completed accurately. There are a lot of bogus SAQ’s floating around out there. Here are some tell-tale signs that your SAQ probably SUQ’s.
- You have no idea what a DMZ is, but you watched someone setup DNS once and figured you must have one. So you answered Yes to the questions in section 1.3
- Your whole encryption key management process is ... a guy. And you figure that since he’s pretty brilliant then you can answer Yes to all the questions in section 3.6
- It took less than a day to complete your SAQ Form D
- The very first time the organization completed an SAQ it scored all Yes’s
- Your SAQ is signed by the person who fixes the printers at your organization
- You answered Yes to everything because your POS vendor told you they are "PCI compliant"
- For all you know OWASP could be a bug spray, but you still answered Yes to the questions in section 6.5
If you don't truly understand the questions then you shouldn't be completing the SAQ yourself. Do yourself, your customers, your company, and the rest of the world a favor. Hire some outside help.
Finally, your organization should be performing a gap assessment using the latest version of the full PCI DSS as your guide, not just the SAQ. The SAQ is really a document for you to attest to compliance. In my next post I’ll talk about how passing the SAQ shouldn't be your goal.