Although the PCI regulation is great for making companies which otherwise would do nothing with regard to security do something, I often find myself questioning the logic of the Payment Brands. Merchants that fall below a Level 1 or rather have a transaction volume less than 6 million annually (with regard to VISA, Mastercard, and Discover transactions) only have to fill out a self assessment questionnaire in order to show PCI compliance. As of right now, there have been no formal qualifications/guidelines for those filling out the SAQ. In other words, the Payment Brands have not defined a specific skill set or position within an organization that should be responsible for filling out this questionnaire.
So essentially, anyone from internal audit to network administration may have the responsibility of filling out this SAQ. Next year this will change for Level 2 merchants (between 2 million and 6 million transactions) that take MasterCard transactions when MasterCard starts requiring these organizations to have either an onsite assessment performed by a QSA or someone officially trained from that organization to become an Internal Security Auditor (ISA). Although I commend Mastercard for taking this additional step and I hope other payment brands follow suit, shouldn’t those responsible for filling out the SAQ in any size organization, whether you are a Level 2 or a Level 4, be qualified to do so? Doesn’t requiring only Level 2 merchants to have someone undergo appropriate training, imply that an individual in a smaller organization who is filling out an SAQ does not have to be qualified? This is pretty scary when you consider that it is a matter of one credit card transaction that could keep you from meeting that 2 million transaction threshold.
Look, all I am trying to say is that more times than not, I am seeing that companies are assigning someone to fill out an SAQ who does not have the security expertise to properly assess whether controls are implemented in accordance with PCI. These individuals think they understand the control requirements but most times do not. Is this a knock against these people? Absolutely not. Most times these individuals’ job functions don’t require them to have the needed security experience to properly assess their cardholder environment.
I understand the reasoning behind using the SAQ, which is: smaller organizations may not have the budget to have an onsite assessment performed. Unfortunately, there is a cost associated with doing business. In my opinion, if you as an organization choose to take credit cards, than you also choose to become PCI compliant. This should, in every instance, entail bringing in a 3rd party to assess those controls; after all, does GLBA or SOX allow a company to fill out an SAQ?