Tag: pci compliance

The Biggest (Real) Myths of PCI-DSS: Part 3

pci-compliance

OK, we are down to the final 3 Real Myths of PCI-DSS, so here we go!

Real Myth 8: PCI-DSS gets easier and cheaper every year

This is quite understandable, seeing that the idea behind PCI-DSS , to many is to do once and be done with it. And in a sense, this is actually borderline correct. If you learn how to ride a bike at the start, you may need to get your Dad to teach you how to ride it so he is holding you for a while. After a while (sometimes, for some, maybe six years), you are able to ride the bike on your own and you don’t need your Dad hanging around anymore. So it’s the same. Except, replace the bike with PCI activities and your Dad with outsourced consultants or implementers.

The great thing about PCI-DSS is that it doesn’t dictate you to go out and purchase expensive services. In fact, the more you “in-source” the less costly your PCI will cost you (in terms of money going out of your company). If for the first year, you paid maybe 20K for all your penetration testing services – after 2 or 3 years, you decide to set up an internal InfoSec team to do these activities – done. You don’t have that 20K output anymore, and you have a team of pentesters to do it. (Of course, the question comes – how much are you paying your pentesters’ salary?)

However, whether it becomes easier/cheaper is probably not the case. You see, the first time you go through PCI-DSS, you are in what we call, First Time Certification stage. In this part, some of the requirements, such as quarterly ASV scan, quarterly IVA, half yearly firewall reviews, 12 months of log archives etc does not apply. And you go, huh? Why? Because you get a free pass, that’s why. In the first time cert, you simply have to do one iteration of these activities. For instance, the ASV scan, you just need to demonstrate one cycle of scan for all in scope systems. Your first time cert time range should be around 6 months…so, in this case, you could run an ASV scan one time, submit that as evidence for certification and get certified.

Once you are certified, keep an eye on the date when you signed off your AoC. 12 months from that date is your expiry, so that is your maintenance year. Your maintenance year is then divided into 4 quarters and you will need to ensure your annual, quarterly, bi-weekly, weekly, daily activities are done accordingly. So instead of ONE ASV scan, you now have 4. For each of your IP. Instead of one Internal VA, you have 4. Instead of one segment PT, you have 2. Instead of 1 Firewall Review, you now have 2. You get the gist. So for those who wonder if it gets easier in the second, third, fourth year, there is a rude shock. Furthermore, your scope may increase based on your growth so instead of testing 10 systems, your second year may test 20. Additionally, knowledge may also not be kept because there your IT team or compliance team may leave. That’s reality, so you are typically back where you started. So now you know. PCI-DSS is not unlike a marriage. You need to keep working on it to make it work.

Real Myth 9: A company is considered PCI compliant even after the expiry of certification, due to 90 days grace period from the council

I know what you are thinking. You are thinking, this myth is way too specific and it sounds as if this is a real life scenario that actually occurred. You are right. Because this was exactly what we faced not long ago. You see, we had a financial institution we were chasing for a PCI renewal. They outsourced their datacenter to another company (which is common), so therefore, in accordance to PCI requirements, that datacenter needs to be included in their PCI-DSS, either demonstrating their (DC’s) own AoC or to participate with my client’s. The DC chose the former, to show their own AoC. So far, it’s ok. But then, our client’s PCI-DSS expiry is on February. The DC over the years have always managed to renew their own PCI-DSS cert on time (about a month or so before our client) so we have always had a compliant report from them (the DC). Until recently.

So while checking requirement 9 Physical Security, we noted that the AoC provided to us from the DC had already expired about two months back, and our client’s expiry is in about a month’s time. So we rightly requested them to provide us an updated AoC. Instead we received a response stating that even though their AoC has ‘expired’, as per PCI, their compliance status is still valid for 90 days (3 months) grace period, and they will be conducting an audit sometime within these 3 months.

Oh-kay.

Firstly, just to be clear, PCI-DSS doesn’t give any 90 days grace period or what not. As in, it’s not part of the standard, or part of the PCI Council’s policy. Any grace period is given by the card brands to those under their contract and that even if they choose to do so. It’s those sort of thing that is like a ‘privilege not a right’. However, since this data center has NOTHING to do with the card brands (they are directly providing service to an Financial institution, and not connected to the card brands), how did the card brands provide this 90 day grace period to them? It’s definitely not the QSA who can provide any grace period. So where did it come from?

Secondly – a grace period is a grace period against something that you did not meet. In this case, it’s the PCI standard that you did not meet, i.e you are NON COMPLIANT with an expired AoC. That’s why it’s called a grace period. Whatever the penalty or action is, that 90 days is the ‘grace period’ you have before the hammer of justice falls. The fact is, the deadline has already been missed. You are now under ‘grace’. The meaning of grace is ‘undeserved favor’ (evangelicals like to use this terminology, but I digress). You don’t deserve it, because you are non-compliant and you have missed the deadline. But the card brand is giving you a favor before they implement PCI-DSS penalties or fees on you. 90 days, get your act together, else boom.

Now, obviously, if this data center gives this response as a justification of not producing a compliant AoC, how can our QSA accept that as a proof of compliance? Unless you are saying, our client should also be delayed 3 months from their compliance date just because this data center decides to take advantage of this so called ‘grace period’? You see where the problem is. The grace period isn’t stating the company is still compliant to PCI (they are no longer compliant without a valid AoC) – it’s stating, that’s the period of time the card brands will give before they smack you with penalties according to their contract.

Real Myth 10: If the company is an ISMS certified company, they have already complied to 90% of PCI-DSS

We get this a lot. And again, it’s very understandable why people think of such. And to be honest, there is some truth here. Being ISMS certified DOES help you become PCI compliant. And vice versa. They are both IT security standards/guidelines and seen as a distant cousin of each other. However, we do get potential customers arguing to us that because they are already ISMS certified, then we should only charge them 10% of what we normally charge for PCI.

That’s a head scratcher for sure. It’s like if I had a driving license from Malaysia and I apply to get my license in Australia and I demand the Australian government (or whoever runs their driving license department) to give me the Australian driving license for 10% of the fee. How? The audit for PCI needs to be done regardless of whether you are ISMS or not. Where you will likely save up money is in the remediation stage where you may end up implementing less controls. But the audit has to be done in the same manner as any other audit.

Additionally, while both ISMS and PCI deals with the same subject – Information Security – the philosophy is different. ISMS hinges on the Statement of Applicability and the risk assessment process. That’s key. In fact many of the controls and their implementation will be based on the risk process – and furthermore, how the ISMS can be improved in every iteration. It is a ‘system’ after all.

PCI is different. While there is a ‘token’ risk assessment in there, you need to understand that PCI-DSS is a risk-based standard…only, not your risks. But the card brand’s. It’s the result of a risk assessment, which has already been done by the card brands. That’s why they decide to impose these standards – logical security, audit and monitoring, secure software development etc on you. There’s not much disaster recovery or backup requirements because that’s a business risk. It’s not a risk to credit card confidentiality. So is a risk assessment still useful? I think it still is. A whole article can be written on how useful or superfluous one may find the risk assessment requirement is for PCI, but let’s leave it for another day.

Summary

Even from the start of writing this series till now, I’ve been beset with new enquiries and PCI interpretations that has left me flabbergasted. Some of these interpretations are not unlike theories of the flat world, where it can be easily explained. Others have found little tiny crevices in the standard itself that I myself after reading the standard a dozen times over would never think of. So, to say, we are still learning a lot about PCI-DSS and how different entities see it and interpret it, so these myths may not age well. There could be a whole new list of 10 Real Myths in about a year or so. Till then, drop us any enquiries at pcidss@pkfmalaysia.com and we will do our best to guide you through PCI-DSS and the infinity that lies beyond.

The Biggest (Real) Myths of PCI-DSS: Part 2

pci-compliance

So, continuing the Real Myths of PCI-DSS, lets move down the list.

Real Myth 5: All PCI-DSS services must be outsourced

Now, this is a very important myth to clear up. Because it directly relates to the usually biggest concern of all: cost. A while ago, we provided an idea on how to cost PCI-DSS, and break it up into certification/advisory costing and implementation cost. While the certification-advisory cost is easier to gauge based on locations, processes, card storage, activities covered , implementation cost is harder to gauge. Because number one – you don’t know your scope yet. This means, you may have 10 or you may have 200 systems in scope, you don’t know. Some go, “Ah but we know, because we have already decided our scope!” and we go, “Ah, but that’s the Real Myth 7, that you can decide your own scope…read on, intrepid adventurer of PCI!”

In any case, one way to cap a cost or save cost is to in-source your work, i.e have your own people provide the implementation services. There are no “PCI-certified” company to actually do the implementation services. All services – except for ASV scans – can be performed by your own, if you are qualified enough to do it (more on that later). I’ll throw in some services that for a typical PCI project, is a must:- Penetration testing, Internal Vulnerability assessment, secure code review and code training, patching, logging and monitoring and daily review of logs, card data scan, application testing, systems hardening, segmentation penetration testing, encryption, key management etc. These are fairly typical activities you will find in PCI – and you can do it all on your own if you have the resources and knowledge to do it. So, don’t feel cornered by any firms or consultants stating that these services must be done by them in order to pass PCI-DSS!

Real Myth 6: All service providers MUST be certified to do implementation services

This is an extension of Real Myth 5. So once the company decides to outsource the PCI services, in the case where they do not have the resources to do it internally – they go about requiring “PCI qualified” service providers to do these services. We’ve seen this requirement before where the requirement was to be a “QIR – Qualified Integrator and Reseller” to do services like penetration testing and code reviews and such. QIR isn’t created for that. QIR is created for implementing merchant payment systems and has nothing to do with the services mentioned. Aside from that, there is a growing call for PCI services to be only performed by “Certified Penetration Testing Companies” with CREST or individuals with certifications like Certified Ethical Hacker etc. Now, while these are all well and good, and certainly mentioned even by the PCI-DSS as a guidance in selecting your vendors, these are by no means a requirement by the standard. Meaning, the QSA cannot enforce all your testing to be done by the above said certified entities if you have ready, qualified and experienced personnel on your end to do it. Again – this doesn’t mean any Tom, Dick and Harry, Joe and Sally can perform testing or activities in your environment. The above certs and qualifications obviously carry weight and we should not dismiss the fact that if an organisation takes the trouble to go through CREST, versus a company that was set up two days ago, and employ 2 testers working in Elbonia – which you should prefer or which one will the QSA has less of an issue of – that’s pretty obvious. What I am stating here is that, we’ve seen many veterans who are far more efficient or experienced in systems testing and security testing than we can ever hope to be and for whatever reason, they don’t bother much about these paper chase or certifications.

At the end, the QSA may raise a query on who carried out the test and may choose to check the credentials of the testers, but in most cases, if the testing seems to be in order, most QSAs are OK with it.

Real Myth 7: PCI scope and application of controls can be determined by the customer

This one is my favourite. Because it played out like an episode of a slapstick comedy. I was called one day by one of our clients who had a new group handling their PCI-DSS program. You see, we’ve been doing their program for four plus years and we’ve been servicing them fine for years – but the new group handling PCI now isn’t well versed with PCI. It’s frustrating because no matter how many “knowledge transfer” sessions we gave, we still ended up with the same questions. We realised we were stuck in a Groundhog Day scenario, where things never change no matter what we do. The group wasn’t technical, which was an obstacle but overall, I think maybe they just have too many things on their plate.

So on this call, they said they were going to compare our quote to other providers this time around and I said, yeah, it’s fine. They then proceeded to give me a scope to quote and I commented, “Hold on, this is the wrong scope. This is the list of assets two years back. You have now changed your scope, and there is a new list of assets under scope for PCI.”

From there, the proverbial excretion hit the fan. They maintained how did I know their scope? I said, well, we helped you guys work it out. Your operations team is aware of it, that every year we help you validate your scope (as per PCI-DSS guidance). And they went: “Why must the scope come from you? We are the owners of the environment and the project, so we decide the scope!”

Aha. This is where our points diverge. You see, while the organisation does have the overall responsibility in setting the scope for PCI, PCI-DSS also has a guidance document “Guidance-PCI-DSS-Scoping-and-Segmentation” that defines how that scope should include assets and networks and therefore affecting how and where services should be implemented. So for illustration:

Company A says, “Well, we have a payment gateway and a payment switch business. We also have a call center and a merchant business that accepts credit cards through kiosks or direct POS acceptance in our outlets. Now, getting our merchant environment to be certified is going to be a pain. We have decided to just certify our payment switch environment which is isolated in a cloud, and not related to our payment gateway at all which we are just about to launch a few months from now, so there are no transactions yet.”

So there you go, Company A has set their scope and from the outset, it kinda looks fine. Yeah, if these are all isolated environment, it’s ok. In any case, in the report of compliance, the QSA would detail any services offered by the company that are NOT assessed, making clear what are the services NOT PCI compliant for that company.

However, what Company A cannot decide are the services and the assets involved in their scope. There is a method to scoping defined by PCI-DSS and we have written at length in this article here.   There are a few ways to minimise the scope by segmentation and so on, but for instance if you run a flat network and insist on it being flat, then everything within that network comes into scope – be it it’s your payment gateway, your merchant business servers, your call center laptops etc. So you can ‘define’ your scope, but what gets sucked into your scope to do hardening, pentesting, patching and all the PCI controls – that is already defined by the PCI on how it’s done. And we just have to identify these assets and systems and networks that get sucked into scope. PCI is a like a giant vortex or blackhole. Everything that is sitting on the same network or touches the systems in CDE, gets pulled into scope.

So there you have it. We will be exploring the final 3 Real Myths of PCI soon, but for now, if you have any queries on PCI-DSS, or ISMS or Theory of Relativity and Blackholes, drop us a note at pcidss@pkfmalaysia.com. Till then, be safe!

PCI-DSS Cheatsheet

As we approach the end of the decade, we are approaching 16 years since PCI-DSS was first introduced back in 2004. 16 years. That’s probably a full dog lifetime. I would imagine the guys back in 2004 would have thought: “Let’s just get version 1 out this year. I’m sure our next generation of brilliant minds will figure everything out by 2020.”

So now we are a few ticking days away from 2020 and yet, at the end of the line, I am still answering calls that are increasing as the days go by: What is PCI-DSS and how do we get it?

Most of these callers are generally calling because our names are listed pretty high on the internet when someone types in PCI-DSS Malaysia. Apart from that, a majority of these callers are calling because we were reference by one of our clients. We have faced different variations of callers coming in: Some requests us to provide them with a PCI-DSS ‘license’ in order to operate for their clients. Some requires a ‘certificate’, some are literally clueless as to what it is but their banks have mercilessly dumped this whole requirement to them.

Step 1: Who’s Asking?

First of all, take a deep breath, here is a simple cheatsheet. Whoever is asking you to be PCI-DSS, take note of it. Here are the Usual Suspects:

Bank – Very likely you are connecting to them doing some sort of payment processing like a payment facilitator, a TPA etc. Or you could be a service provider and your client just happens to be a bank, which brings us to

Customer – your customer for some reason is dealing with credit/debit cards, either directly or indirectly, and they require you to do PCI-DSS because you are servicing them or they have outsourced to you, like BPO, Data Center, hosting, call center, or even network transit

Internal – One of your internal managers have read up about PCI-DSS and decided that your company will sound very cool if you are PCI-DSS certified. Now, in this case, you could or could not be PCI. Because PCI is a contractual obligation dealing with credit/debit cards badged with Visa, Amex, Mastercard, JCB, Diners/Discover – if you don’t deal with this or have any clients dealing with it but your company just wants to get any standard out there – my suggestion wold be to go for something like ISMS (ISO27001) as that’s a better guideline rather than a contractual standard like PCI-DSS. If you still insist – well, you could still go through the SAQ but a lot of it will be not applicable to you since you are Non-CDE for everything.

Those 3 are mainly the motivations behind PCI-DSS. Why is it important to determine who is asking, is because of the next step:

Step 2: Determine your Level

Now there are guidelines out there for which level you should be at. If a service provider, then anything over 300,000 volume of card processing will bump you into level 1. For merchant, anything over 6 million for level 1 and anything over 1 million for level 2. I can’t count the times people get mixed up with Service provider levels and merchant levels. Even banks. I have banks telling our payment gateway that they are Level 4 . There is no such thing. It’s either one or 2. For merchants there are level 1,2,3 and 4 but the volumes are different.

Now while the guidance is cool and all, at the end it’s your bank or customer determining your level. If your bank decides to only deal with you if you do a full certification and RoC with a QSA, then even if you are processing ZERO transactions, they have deemed you as level 1. You can then decide to either say OK, fine, or tell them you are taking your business elsewhere. In that case, they may decide not to play hardball. I don’t know. Same as your customer. Your customer may decide you need to be assessed by a QSA, so it’s best you determine this with whoever is asking you.

The secret sauce is this: Most of the time, your bank/customer won’t have a clue what they want. They will just say, Oh, be PCI compliant. In this case, approach them with some tact. Your mission, should you choose to accept it, should be to avoid level 1 certification as much as you can, if your volume is low. It’s not justifiable. Look, if you want to be assessed by a QSA, by all means, but at least, know that you have a choice if your volume is low, and your bank/customer isn’t fussy about it. Just tell them: “OK, I’ll be PCI-DSS compliant, and I will fill up the Self Assessment Questionnaire (SAQ) and our management will sign it off and send it over to you. Is this OK?” If yes, then great, do your own self assessment. You can save up some money.

Step 3: Determine your Controls

This is probably the trickiest part of PCI-DSS. You see, being level 1 or level 2, self assessed or third party assessed, SAQ or RoC does NOT make any difference on what controls you need to have in place. An example: Level 1 compliance may require you to do ASV scans for 3 external IPs and 20 Internal IP Penetration testing. Guess what? Even if you are doing an internal self signed SAQ, you are supposed to do the SAME THING. No difference. No “Oh, since I am level 2, I will do ASV scans for 1 IP and maybe take 5 Internal IP for Pentest instead of 20.” In theory, all controls are the same, the only difference is WHO assesses and attests these controls.

Now, of course, realistically, this is not happening. Like I always illustrate, some companies consider a firewall as a wall on fire and they sign themselves off as PCI-DSS. Hence the whole passing the buck, passing the risk thing about PCI that I won’t go into discussion here. But in theory at least, same controls apply. But how do you determine what applies to your business? Well, based on your business flows of course.

Determine above all whether you are storing credit card information. If you are not, roughly 35% of PCI-DSS is not applicable (I am plucking that % out of no where, so don’t quote me). But a big chunk isn’t applicable. Second, determine whether you even interact with credit card or not. Look into all your channels. It could be complex like a call center, or simple like a network transit. In most case if you can determine that you have no access to credit card PAN or don’t store, and don’t process, the controls that are applicable to you are minimal. You should STILL be PCI compliant, but minimal controls apply.

Step 4: Determine your vendors and outsourcers

We had a client who cancelled an ongoing PCI-DSS with us because they have deemed themselves PCI-DSS compliant because they are using a PCI-DSS software. I cannot count the number of times I have to correct them – NO. Just by using a software which is PA-DSS compliant or even PCI compliance (like Cloud) DOES NOT make you PCI-DSS compliant. Will it help? Sure it will, but can you piggy back on someone else’s compliance? No. You can’t. So either you go through PCI yourself, or stay non-compliant, but don’t say you are compliant when you are only using a software that is compliant. That’s like saying you are certified to fly a plane when you are a passenger of a plane flown by a certified pilot. Or something similar.

Get your vendors on board for PCI if possible. If they refuse you can still use them, but you now have to include their processes under YOUR PCI-DSS program. Why would you want to spend extra days getting your vendor compliant when there are OTHER vendors who already are compliant?

So there you have it:- When someone requests PCI compliant – first, review your options. There is no ONE way for PCI. Go with the least resistance – self signed SAQ if your volume allows it. That saves you a lot of time and money as opposed to getting a QSA to come in.

If you have any queries on PCI-DSS, drop us a note at pcidss@pkfmalaysia.com and we will attend to it right away! Merry Christmas!

IATA and PCI-DSS to Travel Agents: Data Channels

PCI

IATA has for a few years been championing the need for PCI-DSS to the travel agencies that are registered under them. More recently, they have been pushing compliance for PCI and even made a deadline at June 2017 for all agencies to be PCI compliant. Unsurprisingly like many well intentioned deadlines, it is now pushed further back to March 2018. Our prediction is that by November or December this year, we might see yet another delay in the deadline. But that doesn’t mean there’s any let up in compliance. Therefore, we’ve been reaching out to many of the agencies who were our clients previously and letting them know if they need help on their SAQ, they know where to find it. Us!

Now, just to summarise, being registered with IATA means a big deal to an agency. It simply means you can issue tickets. So how it works is that IATA is like a national ‘switch’. Whereby registered members can receive calls from clients, and based on pricing etc, select the airline and pricing and issue these tickets – either to other clients or in behalf of even other agencies. Firstly, there is credit card involved, of course. Secondly, IATA members can tap into the BSP – the IATA Billing and Settlement Plan. This is like a huge payment switch – whereby it handles all the payments to multiple airlines from the agencies, so that agencies don’t have to deal individually with airlines for settlement of the tickets. Which is good. Secondly – there is the GDS (the global distribution system). There are a few players in the market – Sabre is one of the biggest (used by Malaysian Airlines), others are like Amadeus, Patheo etc. We’ve so far encountered Sabre and Amadeus in our clients and both of these are PCI certified providers.

So, with this basic understanding of how agencies work, how does PCI apply?

First of all, unless IATA makes a statement otherwise, agencies DO NOT NEED a QSA to do a level 1 certification or sign off on SAQ, unless explicitly requested do. Since IATA is the processor for the agencies in this case, it’s their call. But it’s a big call, because level 4 merchants aren’t very large and they might not be able to get QSAs to help sign off their documents. We are working with one of the largest merchants at the moment and even they are not requested by their acquirer to get a sign off on SAQ from a QSA.

99.99% of agencies out there will fall under the Level 3 or Level 4 merchant band and we all know what that entails – SAQ, signed off by their executive – only if required should they get a QSA to participate. But it helps to have someone that knows about PCI or else you would be groping in the dark with the SAQ options.

What we see a lot are merchants automatically selecting SAQ D-MER when it comes to PCI. Again you don’t have to.  Depending on the number of channels you have you might be able to select C-VT, or B, or even A-EP, A. We call these specialised SAQs – remember, if you don’t meet any of these criteria, you drop into the SAQ D bucket.

What many people don’t know is that you can opt for a separate SAQ for each channel, instead of having one SAQ D to cover all. Both are possible, but its just that for SAQ D, you would be marking a fair bit N/A if you are say just doing POS and e-commerce.

Before we venture into the dark arts of SAQ selection, let’s explore probable channels that agencies have.

a) Through the website – this is not that common actually. Now with Expedia, Agoda and all these portals coming up, it’s easier for consumers to get the best price regardless. But for corporate trips etc, some of these websites might still prove useful. Most of these websites will either redirect to another payment gateway or might even link to a GDS. Either way, they generally do not host the site where credit card information is being entered. So in this case, SAQ A might work. If they have card information collected in their environment before sending it over to the payment gateway, then SAQ A-EP. Questions for A = 22, A-EP = 191. So please think it over as to why you want to collect card information on your site.

b) MOTO – or Mail Order Telephone Order. In most cases, there would be a call into the agency requesting booking. Now it’s important then how card data is now transmitted, processed and stored. The agent likely will not have any funky call system like Ameyo or Genesys, and may just rely on our good old PSTN phone line. Once call is received, the agent will request details , including card details and type it directly into a GDS system. In this case, as there is no recording on the line, it’s fine, and as long as the agent is using a hardened desktop/laptop with a virtual terminal into the GDS, you can rely on SAQ C-VT to cover this. Now, what is a virtual terminal? Basically, it’s a virtual POS. You just don’t need to buy the POS devices. All GDS offers this solution, whereby you log into the virtual terminal and just input the card information.

The tricky part here is that not all information is received on phone. Sometimes, clients will say, OK, let me send you a batch of credit card info in a text file via email. Or, hold on, I am shooting you an image via WhatsApp or Skype. Or, wait, let me fax you the form. Oops.

Now what happens is that other channels are being utilised. You have storage of credit card information. You are no longer eligible for C-VT. C-VT = 81 questions. D-Mer = 332 questions. So, if you can stop these practices, I would suggest, go ahead and stop it.

c) Walk-In – most agencies have outlet(s) and you can walk in, and pay off the counter. They will either key in the information as if you had called, into the virtual terminal – OR, they might have an actual POS machine for you so you can dip your card and make a card present transaction. In this case, it depends on how the POS machine is setup. It would be pretty similar then to a normal retailer transaction – like a grocery store or departmental store. We’ve already written this at length here: http://www.pkfavantedge.com/it-audit/the-saq-bs-and-how-they-apply-to-you/.

So there you have it. Remember the following

SAQ A = 22 questions (good!)

SAQ A-EP = 191 questions (not great!)

SAQ B = 41 questions (good!)

SAQ B-IP = 82 questions (not so great!)

SAQ C = 160 (not very good!)

SAQ C-VT = 81 (that’s ok!)

SAQ D- MER(SP) = 332 or 359 questions (bye bye weekends!)

So there you have it. If you are an agency or a retailer and you need any help at all to clarify this PCI-DSS requirement, drop us an email at pcidss@pkfmalaysia.com. We will attend to you immediately!

 

 

© 2021 PKF AvantEdge

Up ↑