|
|
 |
Self-Assessment Questionnaire (SAQ)
The Self-Assessment Questionnaire is a free, confidential tool that can be used to gauge your compliance with the PCI standards. The Self-Assessment Questionnaire is made up of ‘yes’/‘no’ questions.
To prepare for and complete the online Self-Assessment Questionnaire, follow these steps:
Familiarize yourself with the Payment Card Industry Data Security Standards (see the ‘ Downloads and Resources’ section). Most businesses will then want to download the printable Self-Assessment Questionnaire to gather responses before completing the online self-assessment. See the ‘ Downloads and Resources’ section for the printable Self-Assessment Questionnaire. After downloading the printable form, the questions should be distributed to the appropriate experts within your company to obtain accurate answers. These experts frequently include individuals responsible for policy and compliance, physical security and information security. Complete the Self-Assessment Questionnaire.
The results of the online Self-Assessment Questionnaire will be made available to you in the PCI Assessment Report. This report will outline your assessed risk level.
All e-Commerce merchants who process less than 10,000 Visa accounts per month and have obtained the TrustSG seal (Singapore), automatically meet PCI standards. These merchants do not need to undertake the Self-Assessment Questionnaire. See www.trustsg.org.sg for more information on the TrustSG seal.
| |
Vulnerability scan
An external vulnerability scan enables you to assess the level of security from potential external threats. Scanning tools are used to generate traffic that tests network equipment, hosts, and applications for known vulnerabilities. The scan is intended to identify these vulnerabilities so they can be corrected.
External / remote vulnerability scanning - if your network is connected to the Internet, you are susceptible to intrusions from external ‘hackers’. As such, all of your Internet based network accessible devices should be scanned for vulnerability from outside your perimeter protection, such as a firewall.
The vulnerability scan will be a non-intrusive test. All scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors on https://sdp.mastercardintl.com/vendors/vendor_list.shtml.
Quarterly scans are required for all merchants and service providers whose average monthly transaction volume is over 10,000. The follow up vulnerability scans are to ensure the remediation was successful. If network or application modifications are made to the production environment, additional scans may be required to ensure that new vulnerabilities are not introduced into the infrastructure.
Visa strongly recommends that you perform internal and external (remote) network vulnerability scans regularly, as new vulnerabilities are constantly discovered.
| |
Onsite review
The onsite review is an independent risk assessment recommended for all entities that process, store or transmit over 50,000 Visa accounts/transactions per month. Onsite reviews should be performed by a Visa Qualified Security Assessor (QSA). QSAs are Visa-approved organizations that can provide specialist IT security review and confirm your compliance to PCI standards.
During the onsite review, the QSA will follow a set testing procedure, built around the 12 PCI requirements. You can obtain a copy of the Security Review Procedures that a QSA will perform during an onsite review from the Downloads and Resources section.
You can find a detail list of Visa QSAs for Asia Pacific under the Downloads and Resources section. Visa Asia Pacific, Payment Security Services team also offers onsite review service. Please contact Sophia Chen for detail information.
If you currently use a security consultant to perform onsite reviews on your behalf, and they wish to become a Visa QSA, please contact your acquiring bank. Visa will assess their credentials. Qualification is not guaranteed.
| |
What is the cost?
The PCI online Self-Assessment Questionnaire and vulnerability scanning are provided by Visa Asia Pacific free of charge, The actual process of assessment, verification and remediation takes place at your organization’s expense. Length of time and cost of compliance depend on the extent to which you are already compliant.
The onsite review should be performed by a Qualified Security Assessor (QSA) or by Visa Asia Pacific’s Payment Security Service (VPSS) team. It is up to you to negotiate the cost of this service with VPSS or your preferred Qualified Security Assessor (QSA). Again, the actual process of assessment and verification takes place at your organization’s expense, and length of time and cost of compliance depend on the extent to which you are already in compliance.
It is recommended that organizations currently employing VPSS or one of Visa’s QSAs to perform annual reviews of their systems should simply expand the scope of the annual review to encompass the PCI standards. This will reduce the cost and resource requirements associated with meeting these requirements.
| | | |
|
|
|
