Service providers have always had a slightly different focus in PCI DSS because as a service provider you have the ability to impact your customers’ PCI DSS compliance and overall security. Whether that’s through providing certain managed services like managed firewalls or data centres, your customers expect you to be able to demonstrate that certain requirements are met. The easiest way to do this is by completing your own PCI DSS compliance (rather than being included in multiple customer assessments).

However, the way that service providers need to report is changing with PCI DSS version 4.0. The report type that needs to be completed is not changing for service providers (you still need to complete either SAQ D – Service Providers or a Report on Compliance (ROC)).

In this post we will focus on SAQ D for service providers, but don’t worry, we will be publishing more information about the RoCs and service provider requirements separately.

New Reporting Format

The biggest change for service providers who are using SAQ D (Service Provider) is that there is a much greater level of reporting needed. In PCI DSS v3.2.1 SAQ D (Service Provider) looked the same as the other SAQs (just with a lot more requirements). But now, the SAQ is much more like a mini-RoC with each requirement needing an explanation of how the finding was reached.

Along with each requirement having a summary of the findings, the SAQ also now requires:

  • Network diagrams
  • Information about any storage of account data
  • Information about any storage of sensitive authentication data (SAD)
  • Information about each of the system components included in the scope
  • Results of quarterly ASV scanning

This is all information that you would see in a full RoC.

Unlike the RoC, SAQ D (Service Provider) does not have any ability to do custom testing – so if you want to do custom testing you will have to complete a RoC with a QSA.

What Do These Changes Actually Mean?

Things are changing quite a bit in version 4.0 for service providers.

  • Expect to spend more time on the process – all of the testing processes need to be followed and reported on, expect to have to interview people and review systems.
  • Expect to need to have someone who understands PCI DSS so that the answers provided make sense (PCIP, ISA, QSA)
  • Expect to have to have cross-functional participation for completing the report – not everyone will have the expertise to assess the questions, and you’ll have to make sure that the roles involved understand why they need to be involved
  • If your report is not easy to understand or is not comprehensive, there may be more queries from your merchants who are relying on your compliance because they may not understand what you have explained
  • If your report is well written, easy to understand, and comprehensive, you stand a chance to benefit from fewer queries because their questions have already been answered

Overall, SAQ D for Service Providers is adding some complexity, but will benefit merchants in the long run who will gain a far greater understanding of how their security is being managed.

Are You a Service Provider?

If you’re a service provider and you need help figuring out this new reporting format or what the new reporting means for you, Confide can help. We’ve worked with many service providers in NZ to help them achieve PCI DSS compliance. Contact us to find out how we can help you become PCI DSS compliant against PCI DSS v4.0.