SAQ C and IDS

[jbhall56]

Quote:

Originally Posted by cahenninger

I believe Manukabay has hit the nail on the head. Now that said, I think there is a lot of confusion about what it takes to qualify for SAQ C. the statement that " the device does not connect to anything else on the network" is telling. but most forget about this. In other words, the only realy way to qualify for SAQ C is to have a simple POS card swipe on a single connection to the Internet. No domains or other devices on the same segment. Most networks have more than one device.

Well said. But you can have a string of POS devices on the same network and still meet the requirements of SAQ C.

This is an example of where we frequently see SAQ C go wrong. A lot of restaurant franchisees that operate three or more locations typically have very sophisticated systems that not only run the POS, but also the back office accounting and inventory management, employee time keeping, etc. The problem is that these integrated solutions (usually only two servers, a primary and a backup) not only connect to the card processor, but also connect to master servers back at the franchisee's headquarters. 9 times out of 10, these are the people that want to fill out the SAQ C under the mistaken belief that their integrated solution meets the qualifications for SAQ C.

This is where the acquiring bank or the card processor need to step up and explain that this is not the intent of SAQ C. However, because the majority of the card processors and acquiring banks have limited, if any, knowledge regarding the SAQs, let alone the full PCI DSS, they just nod their heads in agreement and let the franchisee fill out whatever SAQ they ask to fill out. Then when a breach occurs, all hell breaks loose because the franchisee is being fined by the people that gave them the bad advice.

The correct SAQ for our example above is to fill out SAQ D.

[bhuebner]

Quote:

Originally Posted by cahenninger

I believe Manukabay has hit the nail on the head. Now that said, I think there is a lot of confusion about what it takes to qualify for SAQ C. the statement that " the device does not connect to anything else on the network" is telling. but most forget about this. In other words, the only realy way to qualify for SAQ C is to have a simple POS card swipe on a single connection to the Internet. No domains or other devices on the same segment. Most networks have more than one device.

Most people concentrate on the storage of CHD for a SAQ C. They really forget about network connectivity. It is actually quite frustrating as customers don't agree with our assessment of their environment. Having been a former QSA for 4 years and now in a different market segment, we come up against competition in the sales process where the other vendor says they can do a SAQ C and here is the solution, at a lower cost. We contend they are a SAQ D, rightfully so, and our solution cost is higher.

The amount of misinformation out there is amazing. Unfortunately, smaller merchants often go with the lowest cost solution and trust the vendor that they have adequately scoped the solution for their environment. Come breach time, they will be unpleasantly surprised.