By Natasja Bolton, Senior Acquirer Support
SAQ A v3.2 has introduced a number of changes to the self-assessment that will impact your customers that have chosen to outsource the handling and processing of cardholder data to external third party providers.
Although the fundamental expectation of SAQ A has not changed (that all payment acceptance and processing has been outsourced to a PCI DSS validated third-party service provider) there are now additional requirements that your customers need to ensure are met:
- Security measures are now required to add basic protection to the service;
- They must be prepared for a security incident.
For the many small businesses whose websites are set-up to redirect consumers to a hosted payment page, this will be a significant change to their self-assessment. These merchants will need to assess their compliance with an additional eight SAQ questions that they themselves will most likely not know the answer to.
It is Sysnet’s belief that, up till now, the extent of most small businesses’ ecommerce website security assurance has been seeking confirmation that their hosted payment page provider is a PCI DSS compliant service provider: the minimum needed for compliance with previous versions of SAQ A.
This view is supported by the 2015 HMG Cyber Security Breaches Survey which revealed that micro and small businesses (those with less than 49 employees) using externally hosted services take fewer actions to obtain assurance of their provider’s security:
| Steps respondents have taken to obtain reassurance over the external provider’s security | Micro and Small Businesses (less than 49 employees) | Larger Businesses (50 + employees) |
| Ensure that contracts with your provider included provisions for security | 41% | 75% |
| Obtain a service auditors report (e.g. ISAE 3402, AAF) on your provider’s controls | 6% | 24% |
| Ensure that your provider is certified as ISO27001 compliant | 30% | 46% |
| Attain reports from your provider on security breaches that might affect your data | 13% | 34% |
With PCI DSS v3.2, SAQ A eligible small businesses will now have to seek compliance assurance not only from their hosted payment page provider but also from one or more third party providers hosting or managing their ecommerce website (the website that includes the re-direct code, or iFrame code, to the hosted payment page) to ensure that:
- Vendor defaults have been changed and unnecessary default accounts removed (reqt 2.1);
- All users are uniquely identified and authenticated (reqt 8.1.1, 8.1.3, 8.2, 8.5);
- Strong passwords are being used (reqt 8.2.3);
- Terminated user accounts are de-activated or removed (reqt 8.1.3);
- An incident response plan is in place (reqt 12.10.1 a))
Many ecommerce merchants are under the misapprehension that, when set-up to use a hosted payment page their own website is ‘out of scope’ for PCI DSS and its requirements. Unless they are warned in advance they will have no expectation that they need to engage their third party providers when assessing their ecommerce payment channel’s compliance for v3.2.
In order to raise awareness of the SAQ A changes and the additional compliance assessment steps that will be required of these businesses, Sysnet recommend that an education exercise be undertaken in advance of SAQ A re-validation to PCI DSS v3.2. To explain to affected businesses that:
- Their ecommerce website is in scope for PCI DSS and, despite the use of a PCI DSS compliant hosted payment page, is being targeted by hackers and could be at risk of a security breach;
- Their service provider management, due diligence and compliance assessment must include not only their hosted payment page service provider but also those third parties responsible for fulfilling the requirement 2 and 8 security controls now included in SAQ A;
- They and their third party service providers must be prepared for a security breach.
As noted in the HMG survey, security incident response should include receiving reports or notification from third party providers on breaches that might affect the business’ data, as well as the business themselves having a plan in place so they know what to do if they receive such reports.
Even the simplest of security incident response plans (step 1: contact your acquirer) will help to reduce exposure of cardholder data and hence reduce the cost and impact of the breach.
Some of your merchants may need assistance when dealing with these new requirements, Sysnet can help with an awareness campaign that empowers your customers and provides support when they need it. For further information on our Merchant Contact Services request a call back or email info@sysnetgs.com