Recently, we have had quite a number of requests from service providers requesting us for clarifications on PCI-DSS. Some comes from way of reference by other clients; while some just cold calls me and starts firing questions away. I don’t mind actually. I’ve done many ad-hoc advisory in my car as I am always driving from one place to another.
Recently I had a discussion with a potential client and I went on to do my normal explanation of SAQ options available for him. He was more animated than normal and from our conversation, I could tell that he has done some reading.
The first thing he insisted was that he was doing less than 6 million of transactions, so therefore he doesn’t quality for level 1 PCI-DSS, to avoid the controls for Level 1.
Firstly, just to be clear, the controls for Level 1, 2, 3 and 4 (for merchants) are EXACTLY the same. It doesn’t mean that you are going through Level 1 you end up doing more than other levels. The levels are guidelines on HOW you get PCI (either you do a self-sign or get a QSA/ISA to signoff for you).
Secondly, these Levels are generally defined by the card brands. You won’t see level definitions in PCI-DSS officially. The reason how we ended up with these 1,2,3 and 4 is the common levels from Visa and Mastercard in their merchant program. Those numbers you often associate with PCI (6 million for level 1 etc) are associated to Visa and Mastercard programs. Go ahead to https://www.americanexpress.com/content/dam/amex/hk/en/staticassets/merchant/pdf/support-and-services/data-rsecurity/DataSecurityOperationPolicyMerchants.pdf
Amex has different definitions! Surprise! Their merchant definition of level 1 is much lower than the 6 million we see. It’s 2.5 million transactions per year. But I guess the number of people actually using Amex is probably the same number of people who understands the rules of winter curling, we end up just falling back to Visa and Mastercard’s definition.
Thirdly though – because this person was considered a service provider, these merchant numbers are moot. They need to look at service provider numbers which is much lower – Level 1 Service Providers are 300,000 or above transactions yearly for Visa and Mastercard (Amex incidentally just keeps it at 2.5 million consistently for merchants and service providers).
So, if you are a service provider, don’t look at the merchant numbers for Level definitions!
It was hard enough to explain that on the phone. He kept insisting he was a PCI Level 3. I kept resisting the urge to correct him to say Level 3 definitions are mainly for e-Commerce merchants.
After a while and after he had somewhat calmed down, he then went on the trajectory that he wasn’t storing any card data and he was outsourcing the storage and processing over to another payment provider. This is possible. Many providers or aggregators utilise other payment gateways or third party facilitators to assist in the connectivity to the banks. But they use this argument to say PCI doesn’t apply.
Again – PCI applies regardless of whether you store or not. If you process, transmit, or even have security influence over those that handles card data – boom, PCI technically hits you. How it hits you is the question. If there is no storage for instance, you may be able to escape the dreaded Requirement 3 and the Mystery of the Key Management Nonsense. But yes, some controls will still hit you regardless.
After a lull in the conversation, he started his engine again by claiming that OK, he might be a Level 2 as discussed, but he is definitely an SAQ A because he has outsourced everything to another gateway and he only redirects to the payment gateway for card processing.
Again, while appreciating his enthusiasm, I have to say again, SAQ A is applicable to merchants. If you are a service provider, you generally only have one – SAQ D. To which I became the receiving end of some colourful expletives (not aimed at me in particular). However, depending on his scope, some of the SAQ D controls may be marked off as NON APPLICABLE, so at least I have some good news for him – if what he told me was actually in place.
Then he went on a different tangent – so how often will Bank Negara (Malaysia’s Central Bank) ask us for this? I paused for a while unsure if I heard it correctly. When reconfirmed, I mentioned that our Central Bank has no mandate on PCI-DSS (as far as I know). PCI is a contractual obligation. To which I was then queried: So who do I pass this PCI document to? (in more colourful language). And I simply say: Pass it upwards! If your bank requires it, send to them. If your customer requires it, send it to them. If God Almighty requires it, send it to Him.
And then he asked the common question: Wait, if it’s a self signed, who will believe me?
Well, here’s the thing. Probably no-one. But apparently, that’s how PCI works. If you are doing an SAQ and its allowed by your bank or customer, it is perfectly fine for you to do a sign off in Section 3b of the SAQ and AoC. It is after all a Self Signed Self Assessment Questionnaire. Based on his stunned silence, I imagined he thought I was kidding. So he repeated: “So if I hung up now, and just sign off everything, does that mean I am compliant to PCI?”
“Well, yes, it would mean you have attested that you are compliant.”
“What if I didn’t do what the PCI needed me to do?”
“Then you are non-compliant.”
“Wait but I already signed off on it!”
“Well, that’s you attesting and saying you are compliant.”
The self assessment concept is very difficult to understand to some. It’s like trying to explain time dilation formula or something. And this is also the reason why I think, in 2012, the council decided that in the SAQ there would be an option to have an ISA/QSA to validate the SAQ (Section 3c). This means, your SAQ is no longer “Self Assessment” but rather “Self Assessed with an Auditor verifying it”. It’s not mandatory for level 2 Service Providers, but usually clients or banks will want to see some other guy other than the executive signing off on the SAQ.
I had to end the call then as I had reached my destination, so I offered to go over to his office to see if he needed any help on his Self Assessment. I haven’t heard back from him since, so I guess he is still evaluating his options or something.
But the above conversation is more common than you think: Mixing up the levels, the SAQs between merchant and service providers and grasping the concept of the SAQ. If you need any clarifications, drop us a note at firstname.lastname@example.org and we will call you back. We are always looking forward to colourful conversations!