Automated SAQ Filing

[jbhall56]

We have been made aware that some QSACs have developed Web-based systems for the filing of Self Assessment Questionnaires (SAQ). From our review of these solutions, it appears that they require the merchant to answer in the affirmative, regardless of whether or not the merchant is compliant with the requirement. In addition, some of these solutions also appear to be incomplete compared to the paper-based SAQ in that not all of the requirements are documented in these online versions.

I just want to get feedback from merchants that have used these sorts of solutions.

Thank you.

[stewart05]

I would like to add to this.

One of my customers (I sell POS solutions) called me and said they recieved this letter from their processor:



They called me because they wanted to know what this all meant.

They are requiring level 4 merchants to report their SAQ results, which was new to me. So I wondered how they would react to a failing SAQ. I called Elavon and asked what would happen if they filled out the Automated SAQ that Trustwave provides and they answered honestly and failed it. The people on the phone had no clue what I was even talking about. After several days I had one person say that they "cannot" fail it, that they have to pass. So I asked him if the merchants should just say "yes" to all the SAQ questions so they pass... he didn't say anything, but it was interesting to me.

These people are requiring the merchant to pay for this service, (or fill out the SAQ and submit it) but they don't seem to care if they lie and just say yes to all the questions.

Is this just the processor trying to show the card brands that something is better than nothing??

I don't see the point in this at all. What are your thoughts??

[jbhall56]

That's the concern that we have as well which is why I posted the question in the first place.

What's the point if you cannot report that your organization fails? Or, that you encourage organizations to just say 'Yes'?

I think this is something that the PCI SSC needs to get on top of ASAP before it becomes another embarrassing news story and makes the PCI SSC, card brands and PCI process look stupid and pointless.

[wconway]

I agree with Jeff's take. I heard about this move a while ago. What especially gets me (and should get the Council's attention) is the bit about "a monthly $20 non-compliance fee". A merchant might think Eleavon has taken over from the brands and offered the alternative of PCI compliance or just paying 20 bucks a month. Let's see...$20 times 12 is $240, a pretty cheap alternative to becoming PCI compliant.

Yes, I know that isn't what Eleavon meant, but it could be interpreted/twisted that way just as easily as checking "yes" to each box.

[Magnafix]

Thanks for mentioning this phenomenon which threatens to reduce PCI DSS to a pointless joke. As I write this, one hosting company states:

Quote:

WAIT! You mean I have to do something? I just want to be PCI Compliant.

No one wants additional work. Lucky you! GlowHost supplies a pre-set, self-evaluation form which is guaranteed to pass the PCI questionnaire.

[lyalc]

In the past we have resold one of these ASV + SAQ services.

It's 'interesting' to see those L2/L3/L4 firms that call in the morning knowing nothing about PCI and are then 100% compliant on their SAQ 3 hours later.

lyalc

[Maxwell]

Quote:

Originally Posted by Magnafix

Thanks for mentioning this phenomenon which threatens to reduce PCI DSS to a pointless joke.

It already is and always has been a pointless joke. Sure, it is important that the automated scanning service locate vulnerabilities, and applications are up to date, I 100% agree.

THE PCI DSS is extremely confusing for non-technical users who are supposed to know the answer to (100s? depending on the scanning vendor) of technical questions they would never have any hope of answering.

If the credit card companies wanted to solve their fraud problems, they would have long ago. However, they choose to penalize the merchant by way of chargeback fees for simply accepting a credit card that was stolen.

If they wanted to cure their problems they would issue keyfobs with their credit cards like the ones devised by RSA seen here:
http://www.rsa.com/node.aspx?id=1311

They would require consumers making online purchases to enter in their secure ID at the point of sale. Go ahead, steal the card numbers! You don't have the keyfob, your card doesn't work. Problem solved...

How about issuing Internet Only cards and requiring the cardholder to pay $24.95 or whatever it would cost to provision USB card reader to each cardholder that must be registered to a specific machine or machines in order to complete a purchase? Meaning the individual swipes their own card from their PC and if the swipe is done from another piece of hardware, the card doen't work.

How about temporary one-time use "card" numbers issued by the cardholder banks for online transactions...

I've just given three ways to eliminate the rediculous PCI DSS but I don't hope to ever see them.

Nahh, they won't do anything like that. They'd rather make money on chargebacks from the merchants, and make getting online an impossible and expensive ordeal for the mom and pop out there that have no chance or hope of paying for a truly PCI compliant hosting service and no hopes of understanding what a SAQ is or does, let alone answer the questions correctly.

[jbhall56]

The problem is not that people don't want to fix the problem, it's the existing infrastructure.

Everything you discuss is entirely feasible given enough time and money to implement. The problem is that merchants and processors live on extremely thin margins and do not have the kind of budgets to spend on the necessary upgrades to support any of your solutions. Over time they could implement such solutions, but that would take quite a bit of time.

Over time, I expect to see one or all of your suggestions implemented (just look at what chip & pin has done in Europe). And while that will get rid of the problem at certain levels of the processing chain, there will still be some point in the chain where the data MUST exist and they will become THE targets. Just like the Internet's primary DNS servers, they will be under constant attack and occasionally one of those attacks will likely succeed releasing however many records. Why? Because security is NOT perfect. Security can only reduce the risk, not eliminate it.

[cmark]

Good comments everyone! Stewart05...good investigative work. We need more people keeping everyone honest....keep it up!

[downeypci]

A client of mine who is earnestly working to achieve PCI compliance has been threatened with the loss of customers who inform him that his competitors are already there.

I know for a fact that the competitors cited have not certified their PCI compliance with Visa (I asked Visa and they told me so), yet these competitors have shared their clean ASV scan reports as well as, reportedly, fully-compliant SAQs with these customers.

Trying to educate the customers otherwise is an uphill battle, since they know virtually nothing about PCI and my client is essentially accusing his competitors of misrepresentation.

This sounds like exactly the situation that Jeff depicted at the start of this thread.

Does anyone know if this has been brought to the attention of the PCI SSC?