SAQ C previously had five requirements:
- the payment system and an Internet connection had to be on the same device
- that device was not connected to any other system in the merchant’s environment
- the merchant kept only paper reports or receipts
- the merchant stored no electronic cardholder data
- remote vendor support was managed securely.
The payoff for meeting these requirements was that a school or campus merchant could qualify to use this simplified SAQ and avoid the much longer, more involved, and significantly more costly process of using SAQ D.
Unfortunately some of you will no longer qualify to use SAQ C. The reason is that SAQ C now includes an additional, sixth requirement:
- your company store is not connected to other store locations, and any LAN [local area network] is for a single store only.
This change means if your bookstore or food service operation or whatever supports a branch or second (or more) location(s) using their single POS system, they would need to use SAQ D.
The change to SAQ C will affect many universities that have retail or food service operations, and support multiple campus locations with a single POS system. I doubt cashiering operations will be affected very much.
We talked about this issue at the Treasury Institute's recent PCI workshop. I described the changes as part of covering what is new in PCI 2.0. It surprised me how many schools had not noticed the change in the SAQ. I admit it is a subtle change, but it is an important one for a lot of schools. It likely means they either have to license some additional POS applications so they have one for each location, or they are thrown into SAQ D.
If this situation describes your campus, I suggest you get to work on it now and not wait until the last minute. I hate to be the bearer of bad news, but better you should know than get caught up at the last moment
No comments:
Post a Comment