If you are a service provider who stores credit card data, PCI SAQ D likely applies to you.
If you are a service provider who stores credit card data, PCI SAQ D likely applies to you. Service providers that process less than 300,000 card transactions may use SAQ D or submit a Report on Compliance (ROC). If service providers process more than 300,000, they are required to do a ROC.
See also: What are Service Provider Levels and How Do They Affect PCI Compliance?
A service provider is a business entity that isn’t a payment brand, and is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data.
If a service provider handles card data, it is required to be compliant with the PCI DSS to ensure that data is protected. Here are a few scenarios that would require a service provider to get PCI compliant:
Basically, if a business handles card data at any point, it needs to be fully compliant with the PCI DSS.
Service providers should have their network scanned for vulnerabilities at least quarterly, and after any significant change by an Approved Scanning Vendor (ASV).
By February 1, 2018, service providers that use segmentation to isolate the cardholder data environment from other networks, must perform penetration testing on segmentation controls (also known as a segmentation check) at least every 6 months and after any changes to segmentation controls/methods.
This penetration testing should be performed by a qualified internal resource or third party. If an internal resource is used, the tester should have organizational independence (though they aren’t required to be a QSA or ASV). The purpose of penetration testing segmentation controls/methods is to verify that the cardholder data environment is protected from unauthorized access.
See also: Vulnerability Scanning 101 White Paper
Internal vulnerability scans should be performed quarterly. An internal vulnerability scan looks for network vulnerabilities locally (from the inside looking in), similarly to motion detectors inside your house.
If an attacker is able to leverage an externally-facing vulnerability to gain some level of access to an internal device, they can then pivot and attack other systems within the corporate network from their newly acquired internal attack point. Service providers must regularly perform internal scans and remediate findings to help prevent the scope and severity of a breach. There are a variety of tools to help service providers comply with the internal vulnerability scan requirement. For example, you can:
Keep in mind the tool you use will still need to be configured by an expert after you purchase or download it. If you purchase an appliance, IT support service is typically included in the purchase. If you choose to use open-source scanning software, plan on spending more time researching best practice configuration tips through online forums.
See also: SAQ D: The Basics of Protecting Card Data for Merchants
An AOC form is a document that’s completed by a Qualified Security Assessor to declare that the organization is PCI compliant. Service providers should have this form as proof that they are compliant with the PCI DSS.
.svg)
