As a Merchant, you probably rely upon the PCI DSS compliance of third parties. Maybe you outsource event ticket e-commerce sales. So you contact the third party and inquire about their PCI DSS compliance. They say “no problem, we will send over our SAQ.” (An SAQ is not the best form of compliance assessment for a service provider, but for small merchants with limited outsourcing, it is certainly better than nothing.)
In a situation becoming more common, the service provider then proceeds to send you a copy of their SAQ A (or other Merchant SAQ). When asked about it, they then advise that their QSA advised them that this is the correct SAQ for them.
Quick background: There is only one SAQ with a version for Service Providers. That is the SAQ D for Service Providers. See this simple flowchart from page 18 of the “PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, v3.1 (April 2015)”. (This assumes that the service provider is defined by a payment brand as being SAQ-eligible.)
Alternatively, the Service Provider can complete an onsite assessment. The onsite assessment then allows the service provider to become listed on the card brand’s lists of compliant service providers.
The Service Provider or QSA may well be correct that the Service Provider is eligible to complete a Merchant SAQ. But only for the portion of the business that acts as a Merchant, not for the portion of the business that stores, processes, or transmits cardholder data on your behalf.
So what should you accept from your service provider? It may vary, but all of the guidance shows a couple possible assessment methods. See your acquirer’s specific guidance. These are the options:
- SAQ D for Service Providers
- SAQ D for Service Providers through the services of a QSA
- Report on Compliance (ROC) and onsite assessment
- And there is the option of bringing the outsourced environment into the Merchant’s scope.
Here is an excerpt from Visa’s website:
Visa requires submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI-DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).
Here is an excerpt from the Moneris website:
A service provider is defined an organization that stores, processes, or transmits cardholder data on behalf of merchants or other service providers. All service providers are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA.
(ed: Moneris website states that all service providers are required to validate their compliance to PCI DSS through the services of a QSA. Presumably this means SAQs as well as onsite assessments. This might not be a term in your agreement with Moneris).
Ad below this line: