Western's 2018 SAQ Validation

December 6, 2018

 

Western is required to validate it’s PCI compliance on an annual basis.  While the Bank Card Committee is again working with MNP, a new Qualified Security Assessor (QSA) has been assigned to Western to validate our organization wide Self-Assessment Questionnaires (SAQ).  Our QSA will be onsite during the week of December 10 and will visit randomly selected Western Merchants to validate that proper procedures are being followed when accepting debit or credit card transactions.  With this in mind, the Bank Card Committee would like to highlight a few key areas of our policies and procedures.

Point of Sale Devices

All point of sale (POS) devices must be inspected on a daily basis, at minimum.  This can be done with the Interac or Moneris Point of Purchase Integrity Checklist available here.  If requested, a Western Merchant must be able to produce an inspection log for their POS devices.  All employees who operate POS devices must be properly trained, including training on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with.  The physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement.  You may be asked to provide your daily checklist for review.

Western’s Security Breach Plan

Western’s Security Breach Protocol has recently been updated. While the overall structure remains unchanged, Merchants must make note of the updated contact information. This updated protocol must be clearly communicated and easily accessible to all employees.  This protocol gives Western Merchants the proper procedures to follow in reporting a suspected breach of their PCI environment.  Staff should know what to do and who to contact in case of a breach.  Your staff may be asked if they know what to do in case of a breach.

Credit Card Inventory Logs

PCI DSS requires all stored cardholder data to be inventoried, including cardholder data stored only until it can be processed.  This inventory log should include the card type, cardholder name, last four digits of the credit card number and a contact number.  The log must not include the full credit card number, the expiration date or the CVV code.  While the inventory log can be saved electronically (as it does not contain the full account number, expiry date or CVV code) the electronic storage of cardholder data remains strictly prohibited at Western.  Western Merchants must be able to produce this inventory list if requested.

Hosted Pay Page Solutions

Western Merchants must never enter credit card numbers into a hosted pay page (HPP) solution on behalf of a customer.  Merchants using a HPP solution should direct all customers to their website to enter credit card data to complete payment.  This is a PCI DSS requirement.  This does not pertain to POS devices.  Merchants processing payments manually, one at a time, through a POS device remains a PCI compliant practice.

Please refer to the Policy and Procedure tab for the updated Codes of Procedure.

 


Published on  04/19/2024 19:46:27 and maintained in Cascade CMS.