This article covers the Self-Assessment Questionnaire (SAQ) for Software-based PIN entry.
The Self-Assessment Questionnaire (SAQ) for Software-based PIN entry on Commercial off-the-Shelf (SPoC) is intended for payment channels where cardholder data is processed using commercial, off-the-shelf mobile devices (tablets or cell phones) in combination with a secure card reader that is part of a SPoC Solution included on PCI SSC’s list of validated Software-based PIN Entry on Commercial off-the-Shelf (COTS) Solutions.
Let’s take a deep dive into the SAQ SPoC.
Like other SAQs, the SAQ SPoC includes a list of eligibility criteria used to determine if a merchant is eligible to perform a simplified self assessment using the SAQ SPoC.
To be eligible to use the SAQ SPoC to validate merchant compliance, the following statements must be true for your payment environment:
Based on these eligibility criteria, we know that ecommerce payment channels will not qualify for SAQ SPoC assessments. All payments must be card-present where the credit card details are captured using a device that is part of a validated SPoC solution.
At the time of this writing, there are currently only 6 validated SPoC solutions listed on the PCI Security Standards Council’s website.
Due to the limited number of validated SPoC solutions at this time, very few merchants will qualify to use this self-assessment questionnaire.
Like the SAQ P2PE, the SAQ SPoC requires merchants to receive a user/deployment guide from the SPoC provider and implement any additional controls listed in the user guide. These controls are in addition to the PCI DSS requirements listed within the SAQ SPoC.
If your payment environment includes a validated SPoC solution, be sure to reach out to your solution provider to receive a copy of the user guide.
The following existing PCI DSS requirements were added to the SAQ SPoC:
All security policies and operational procedures for said requirements are:
Well-documented security policies and procedures can help merchants maintain a PCI DSS-compliant environment if employees working in the environment are aware of policies and procedures that apply to their job responsibilities. PCI DSS requirement 3.1.1 focuses on ensuring policies related to these sections are up to date and are distributed to affected parties.
For example, for requirement 3, a merchant should have a defined data retention policy that prohibits any electronic storage of cardholder data within the merchant environment and defines data retention and data destruction procedures for any physical media containing cardholder data.
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
If full primary account number (PAN) data is stored on paper by the merchant or stored in any format by the merchant’s third-party service provider (TPSP), this requirement will apply. Any merchant that stores cardholder data must follow a documented data retention and disposal policy.
For requirement 3.2, the merchant is expected to work with their TPSP(s) to identify any cardholder data storage and to understand how the TPSP meets this requirement for the data being stored on behalf of the merchant.
After March 31, 2025, merchants will need to be sure their data retention and disposal policies cover any storage of SAD. This portion of requirement 3.2.1 is a best practice before this date.
The card verification code is not retained upon completion of the authorization process.
If, as part of a merchant’s payment process, cardholder data is written down or received in a printed form (e.g., mail-order, fax-order), policies and procedures must be in place to ensure CVC data is not stored after the authorization process completes.
All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
When a user is authenticating to one of the SPoC devices used in the merchant’s payment environment, the authentication must include at least one authentication factor (e.g., password, PIN, biometric verification, authentication token).
All security policies and operational procedures for said requirements are:
As with requirement 3.1.1, this requirement is focused on the need for merchants to have documented policies and procedures that govern merchant activities for securing physical media (e.g., reports, order forms) that contain cardholder data.
All media with cardholder data is physically secured.
This requirement only applies to merchants with paper records (e.g., receipts, order forms, reports) that contain account data including full PAN data. If such media exists, processes must be in place to ensure it is stored securely. If no physical media containing cardholder data exists in the merchant environment, this requirement can be marked as “Not Applicable.”
Offline media backups with cardholder data are stored in a secure location.
If physical media containing account data is stored at an off-site or backup location, documented procedures must be in place to protect this data from unauthorized access during storage. If no physical media containing cardholder data exists in the merchant environment, this requirement can be marked as “Not Applicable.”
Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
If physical media containing account data is received or generated by the merchant, this media must be properly destroyed at the end of the retention period. Merchants should have a document destruction policy which defines how this media is destroyed and how frequently the merchant is reviewing their physical media to ensure media has not been stored beyond the stated retention period.
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
Policies and procedures must be in place that require a list of POI (Point of Interaction) devices used in the SPoC solution be maintained and that define a periodic inspection procedure for these devices. Policies must also be in place that require personnel be trained in temper prevention techniques.
An up-to-date list of POI devices is maintained, including:
For this requirement to be “In Place,” a merchant must maintain a list of all POI devices used in the SPoC solution. This list/inventory must include the make, model, serial number, and location of each POI device.
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
POI devices used in the SPoC solution and included in the inventory mentioned in requirement 9.5.1.1 must be inspected for evidence of tampering and substitution. It is recommended that merchants document when these inspections take place and make note of any irregularities.
Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:
Personnel working with or around POI terminals need to receive training that will help them to prevent and spot evidence of POI device tampering or substitution attacks. As part of this training, employees should be informed how to report suspicious behavior or indications of tampering to appropriate personnel.
An overall information security policy is:
As with requirements 3.1.1 and 9.1.1, it is important that policies and procedures be documented to support the security of the merchant’s payment environment.
For requirement 12.1.1, it is important that all related policies and procedures are maintained and disseminated to the appropriate personnel, vendors, and business partners so that individuals who can impact the security of a merchants payment environment are aware of appropriate procedures to maintain the security of the environment and the data being protected.
As stated in the SAQ SPoC, “a security policy that is reasonable for the size and complexity of the merchant’s operations”. A policy document for a simple SPoC merchant may simply consist of a document that explains how to safely process payment data and who to contact in the event something goes wrong. Simple SPoC merchants are not expected to have a library of policies and procedures that may be common for more complex Level 1 merchants or service providers.
The information security policy is:
Policies and procedures in place to help secure the payment environment must be reviewed at least annually and updated as needed.
The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.
A merchant must clearly define security roles and responsibilities.
As with requirement 12.1.1, this does not have to be an overly complex task. This could be as simple as defining management responsibilities and clerk or cashier responsibilities. A merchant should know what individuals are responsible to ensure the requirements listed in the SAQ SPoC are being met.
A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.
A security awareness program that is consistent with the merchant's size and complexity must be in place. This program can include in person or online training taken by employees or emails, posters, or other means of communicating information security concepts can be used.
A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.
One reason for the simplicity of the SAQ SPoC is due to the fact that a majority of the risk to account data has been outsourced to PCI DSS-compliant TPSPs.
For this requirement, merchants must maintain a list of all TPSPs with which account data is shared or that could affect the security of the payment environment. The SPoC solution provider should be included in this list.
Written agreements with TPSPs are maintained as follows:
Merchants must have a written agreement in place with each of their listed TPSPs.
In this agreement, the TPSP should acknowledge their responsibility to the security of account data they have access to or to the extent that they could impact the security of the merchant’s CDE.
An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
Policies/procedures should be in place to ensure the merchant is performing proper due diligence prior to engaging with any TPSP that will have access to their customer data or if the TPSP will be able to impact the security of the payment environment.
A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
Merchants must be monitoring their TPSPs to ensure they are maintaining their own PCI DSS compliance.
It is recommended that merchants request a copy of the TPSP’s Attestation of Compliance (AOC) form on an annual basis.
Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.
Merchants should have a good understanding of which PCI DSS controls are managed by their TPSPs and which they are responsible for maintaining.
Many TPSPs will provide documentation to help define which PCI DSS controls are managed by the TPSP and which are left to the merchant.
It is recommended that merchants reach out to their TPSPs to ensure they have an accurate understanding of these PCI DSS-related responsibilities.
An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident.
Merchants must have a documented incident response plan that can be followed in the event of a security incident or suspected data breach. Having and following a well-understood plan can help to minimize the impact of a security incident or data breach.
Due to strong data security controls built into validated SPoC payment solutions, merchants using an SPoC solution to capture and process payments may be eligible to validate their compliance using the simplified SAQ SPoC.
Most of the controls listed in the SAQ SPoC focus on the physical security of the POI devices included in the SPoC solution, the physical security of any stored account data, and the management of third party providers who have access to account data or who can affect the security of the merchant’s payment environment.
If you have questions about which SAQ is right for you or are ready to get started, contact our experts at SecurityMetrics and complete your SAQ with confidence.
.svg)
