Did you know that you don’t necessarily need to have a third-party assessment to be compliant with PCI DSS? Many organizations choose to self assess instead. Not every company can do this, and it isn’t always the best choice — but for some organizations, it’s an attractive option.
Self assessing may be an attractive option if you’re just starting out with PCI compliance, and especially if you’re a small organization with a restricted budget. The simpler your organization in terms of handling of card data, the easier it is to do a self assessment for PCI.
That said, you need to know what you’re getting into. Should you do a self assessment for PCI DSS? Here’s what you need to know.
Check out TCT’s complete guide to PCI DSS Certification
What Is a PCI DSS Self Assessment?
In the PCI DSS world, there are two main paths you can take, with two different output documents:
- Third-party assessment, conducted by a Qualified Security Assessor (QSA). The final document is a Report on Compliance (ROC)
- Self assessment, conducted by your own internal team. The final document is a completed Self-Assessment Questionnaire (SAQ). You sign off on the SAQ yourself, but you can optionally have a QSA sign off on it as well.
The SAQ is available in a series of questionnaires, ranging from SAQ-A to SAQ-D. SAQ-D comprises all of the requirements of PCI DSS, and the others contain various subsets of PCI, based on the specific card usage scenarios of the target organization. You’ll need to determine which scenario fits your situation.
Completing the wrong questionnaire can have significant consequences, so it’s critical to use the one that fits your use case. I highly recommend that you rely on the expertise of a Consultant or Assessor to determine the SAQ for your organization. I have seen many organizations select an SAQ they perceive to be easier to accomplish, yet wrong for the organization, and it ultimately puts the organization at risk
You can easily find all of the requirements for SAQs online and use that to provide the structure you need for a robust cybersecurity program.
The SAQ has two basic parts:
- The SAQ itself. This is an internal document for your organization. Use this to do all of your confirmations and affirmations. The SAQ document is used to sign off on the controls that you have in place.
- The Attestation of Compliance (AOC). The AOC is essentially a highlight reel of the content in the SAQ, which you can sign and provide to other organizations. Your clients, partners, and vendors will want to see your AOC.
The AOC is your sign-off to other organizations that you’re following all the rules and regulations of PCI DSS, and it declares the current state of all of those items.
Are You Eligible for a Self-Assessment?
If your organization processes a certain amount of hard data, you’ll need to undergo a third-party assessment with a QSA. As long as you process less than the baseline amount of data, you’re free to self assess.
Validate with the Merchant Bank behind your merchant account to gain assistance identifying which direction your organization should head in.
Related: Why Become PCI Compliant if You Don’t Process Credit Cards?
Why Should Anyone Take Your Word for It?
The downside to self assessing for PCI is that you’re asking clients and partners to take your word for it that you’re truly PCI compliant and following all of the rules. You don’t have a third party watching over your shoulder, holding your feet to the fire and validating your position.
You have an incentive to paint yourself in a positive light, so how do they know your AOC is trustworthy? If your clients and partners have any experience with compliance, they’ll be wary because they’ve seen compliance documentation from organizations that were too liberal with stating their position against compliance standards.
To give your attestation credibility, I recommend that you have a QSA or a Consultant sign off on it or validate your position. These professionals live or die by their reputations, and they won’t put their name on a piece of paper unless they can personally verify it.
9 Must-have Resources to Make PCI Compliance Easier
Use a Compliance Management System
One of the dangers of a self assessment is the possibility of breezing over PCI requirements without much rigor. It’s easy to convince yourself that you have your ducks in a row when no one is holding you accountable. I have seen plenty of organizations indicate they have antivirus, put checkboxes down the line and move on. Meanwhile, they have cleared detailed requirements with which they are not compliant!
A compliance management system has a built-in structure that forces you to go through every line item and confirm that you’re in compliance. Instead of simply checking a box that you have antivirus software, a compliance management system will force you to look at, and attach evidence, related to each individual requirement for antivirus.
Not only is it an appropriate practice as you go through a PCI assessment, but it also protects your organization by ensuring that you have indeed done your due diligence. It also gives your clients and partners more confidence in the validity of your AOC.
Even if you start on your own, then grow into Consultants and Assessors, you’ll have a solid repository of your approach by requirement. This repository will quickly enable your new partners to get up to speed on your engagement. Better yet, your Consultant and Assessor partners will have the ability to integrate directly into the workflow of your engagement, streamlining everything.
Additionally, it is of utmost importance to “own your own compliance data.” You need to own the license for your own compliance management system so that if you switch Consultants or Assessors you don’t lose all of the history of your compliance information.
An SAQ Is PCI — Full Stop.
If you’re filling out a Self-Assessment Questionnaire, you’re making a declaration that you’re following all of the rules and regulations of PCI DSS, implementing all of the applicable controls based on the requirements of the standard. You’re stating that your organization is indeed fully PCI compliant. This is a big deal — you’re signing a piece of paper that has legal implications for your organization.
With that declaration comes the commitment that you will continue to maintain PCI compliance — which means you have ongoing responsibilities. PCI DSS requires organizations to complete certain tasks daily, weekly, monthly, quarterly, semi-annually and annually — whether you’re assessed by a third party or self assessing.
The SAQ gives you freedom to do your own assessments, but it doesn’t give you a pass on your responsibilities. PCI compliance is PCI compliance, no matter who ultimately signs off on your AOC.
Feel like you’re in over your head? Continuous PCI compliance can be overwhelming, but TCT Portal’s Operational Mode uses automation to make PCI maintenance easier, less risky, and less stressful.
Related: What Happens if You Don’t Maintain PCI-DSS After Becoming Compliant?
Is Self Assessing Right for You?
Self assessing for PCI DSS can be an attractive option for many organizations, but it isn’t something to jump into lightly. Do your due diligence and make sure you know exactly what you’re getting into.
Talk with your Merchant Bank, Consultants and QSAs before you decide which path to take. TCT is widely connected to Consultants and PCI Assessors, and we’re able to recommend organizations that don’t suck to deal with.
[/s