PCI SAQ
The Payment Card Industry Security Standards Council is a non-statutory body set up by the industry to establish and uphold rigorous security standards across the world by any organisation involved in the processing of payments by credit and debit card. It operates several assessment programs in support of this work of which PIN assessment is the most comprehensive. The most familiar is probably the Payment Card Industry Data Security Standard (PCI DSS) regime, which regulates the collection, processing, storage, transmission and destruction of credit and debit card information. While this standard is not legally binding in practice, the consequences of non-compliance can be very serious not only reputationally but also in being able to maintain a functioning presence within the payment system.
The PCI DSS assessment process is rigorous and extensive. In addition, it is not a fixed set of requirements because as technology changes and security risks mutate, provisions for safe processing and storage must be constantly updated. However, the PCI recognises that there are huge variations of scale and engagement between different payment service users which means that consistently imposing the strictest criteria may be neither fair, reasonable or necessary in the case of many smaller organisations. For this reason, the PCI introduced a system of self-assessment (PCI SAQ) and issued clear designations of the types of organisations who would be permitted to use this method.
Who can use the PCI Self-Assessment Questionnaire?
It would be a mistake to see the self-assessment regime as simply a short cut to compliance. For one thing, although it may involve less administrative work and expense than engaging a third-party PCI assessor, it still demands an intensive level of examination, and for another, it is about more than compliance: it is about greater security, which is of direct benefit to you and your customers. Compliance does not guarantee security in the longer term which is why constant re-assessment is vital. It needs to be part of your general business practice in the same way as end-of-year accounting. If you qualify for self-assessment then integrating this regular process need not be too heavy a commitment.
Gradeon has years of experience working with clients to achieve and maintain PCI DSS compliance. We recognise that even self-assessment is not always straightforward – how many self-assessment tax returns are actually prepared by accountants? Firstly, we can help you identify whether you qualify. If you are an ecommerce trader we can quickly appraise the applicability of the rules to your organisation. Most exemptions from full-scale assessments – although not all – are reserved for non-ecommerce traders and they depend largely on storage and post-transaction processing. The PCI SSC provides eight different questionnaires and we can advise you on which is the correct one for your business then help you complete it to satisfy all the demands of the self-assessment regime, leaving you to continue trading as normal, safe in the knowledge that your business processes are certified and compliant.