PCI Council Streamlines Self-Assessment Forms, Targets Software

Merchants like to gripe about the Payment Card Industry data-security standard (PCI) nearly as much as they like to complain about interchange, but a new set of questionnaires for merchants to use with their PCI assessments could reduce the irritation factor. The new, so-called Self Assessment Questionnaire from the PCI Security Standards Council divides the old questionnaire used since January 2005 into four updated versions tailored for different categories of card acceptors, according to a Wednesday release from the Wakefield, Mass.-based council, a non-profit body established by the payment card networks to oversee the PCI standards. The upside: many merchants no longer will have to answer questions about card-processing and security systems that don't apply to them. At the same time, the new questionnaires probe harder for weak spots in payment-processing software applications?a vulnerable area that one expert says hasn't received proper attention in the past. The new self-assessments are for small and mid-sized merchants that typically are not required to have on-site PCI compliance assessments. In the context of Visa cards, the questionnaires would apply to so-called Level 2, 3, and 4 merchants. Level 2 merchants, the largest in the cohort, are those that submit 1 million to 6 million Visa transactions annually. In many cases, certified PCI auditors and approved scanning vendors, the later of which assess network connections for PCI compliance, do their reviews remotely using special software. The so-called SAQ A is for merchants that have outsourced all of their payment card data storage, processing, and transmission functions, while SAQ B is for those that still process card transactions with imprinters or use stand-alone, dial-up terminals only. SAQ C is for merchants that have their payment-processing systems connected to the Internet, and SAQ D is to be used by “all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C,” according to the release. The new questionnaires aim to get the self-assessments in line with the requirements of version 1.1 of the PCI standards, according to a PCI Council spokesperson. The council released that version in September 2006 to update the original standard. “In some cases there were inconsistencies between the SAQ and the DSS 1.1,” the spokesperson says. “This addresses that.” One of the key features of version 1.1 is the greater attention it gives to the security of payment-processing software applications compared with the earlier standard, according to Mike Weider, director of security solutions at IBM Rational, a unit of Armonk, N.Y.-based International Business Machines Corp. One of IBM Rational's leading products is AppScan, which automates the testing of Web-based applications, including online-banking software. “Application security has been somewhat under-represented,” he says. “They updated the requirements in the 1.1 version to … reflect that.” The new questionnaires are just one more manifestation of the card industry's increasing focus on software security. Three months ago, the PCI Council said it would make Visa's set of recommendations for strong software security, Payment Application Best Practices, or PABP, an official part of the PCI standard (Digital Transactions News, Nov. 1, 2007). That project should be done by March 31, the spokesperson says. The council also is turning its attention to the security of devices for entering a card's PIN and will soon begin maintaining a list of approved PIN-entry devices, he adds.