1

I'm trying to figure out how to properly fill in PCI SAC D compliance form for a startup business with the only one owner/architect/developer/admin/QA/etc - all of them is me alone.

It's a web app for selling a particular intangible service. No card information is going to be stored. The reason for SAC D - I'd prefer to do some validation logic on my server side and have a total review and confirmation page that match the rest of UI.

Hosting environment will be AWS Beanstalk + RDS.

When I read it, common sense tells me to ignore statements like "Interview personnel" or "Review policies & procedures", but I expect that large corporate minds are not usually driven by common sense but by rules.

  • I can hardly imaging formal process of interviewing myself and documenting what I've asked and what I've said, especially the benefits of doing that.
  • Most of the questions in Requirement 8 make no sense either.
  • Questions that assume that stuff is more then one employee make no sense.

Can those be skipped (N/A-ed) or should I formally do the exercise and generate some funny nonsense?

Thank you!

Alexander Kovalevich
  • 23
  • 4

2 Answers2

0

Are you really really sure you need SAQ D? It's a pretty big undertaking if you're starting from scratch. Is the money flowing into your merchant account? If so you could potentially get away with SAQ A which is going to make your life WAY easier. If not, then you're probably SAQ D service provider and you'll have no choice but to do SAQ D. In terms of styling and validation you could use an iFrame solution like Braintree, you have quite a lot of control and it reduces your PCI scope significantly.

In my experience talking with the bank that holds the merchant account is a good place to start, they're keen for secure systems to be developed, so are likely to give you advice on what you need to do. You could also engage a QSA but they are not cheap in general.

I don't think (though i'm not 100% sure) interviewing yourself is required, those instructions are for auditors to use to ensure that policy and procedures are being followed. For lone developers, a big problem is code reviews, you will need someone else to do that.

Richard
  • 1,298
  • 6
  • 17
  • 27
  • He definitely needs SAQ-D, as it is required when the payment page is served from the merchant server and when the merchant uses a custom or in-house developed checkout system. – ruhnet Mar 24 '16 at 18:22
  • I suggested he use an iFrame from a PCI level 1 provider, in that case he should be able to use SAQ A if he's the merchant. Or SAQ-EP if doing a direct post. – Richard Mar 26 '16 at 19:47
0

You can N/A those questions.

Remember the SAQ is a SELF Assessment Questionnaire, not a test you are taking. The payment card industry is more concerned about your adherence to the "spirit" of PCI-DSS rather than hard fast rules. It's more about protecting cardholder data than it is complying with things that don't apply to your case. (Although anything that does apply should definitely be followed as a hard rule.)

If you did get audited, it would probably only be because you had a breach, which obviously would NOT be because you didn't "interview yourself" and put on a security ID badge when you sat down in front of your development computer :-D and I don't think you'd have any trouble at all getting that point across to the QSA.

Now, having all your security policies and procedures, network diagrams, firewall, etc. documented and reviewed periodically does apply, since for security guidelines to be followed on a continual basis, they must be reviewed on a continual basis. For these, just use common sense. In other words, go over your firewall rules and such at least as often as PCI-DSS requires and ask yourself, "Do I still need this ALLOW SNMP port 161 rule to be in effect?" etc. etc...Oh dear I think I just told you to interview yourself... :-D

Anyway, you get the idea.

ruhnet
  • 651
  • 1
  • 7
  • 14