Practical Cybersecurity with Jen Stone
Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture.
Practical Cybersecurity with Jen Stone
The SAQ A Deep Dive: Two QSAs Set the Record Straight (ep. 6)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
This episode of Practical Cybersecurity moves past the standard PCI checklist to focus on the operational realities, common misconceptions, and "stealth" requirements that define SAQ A in the PCI DSS v4.0.1 era.
The Eligibility Foundation
Most merchants skip the Eligibility Criteria, which is the actual foundation of the assessment.
- Total Data Outsourcing: To qualify, a merchant must not store, process, or transmit any electronic account data on their own systems or premises.
- Call Center Exception: Merchants can still qualify for SAQ A if you use a third-party call center to handle payments on your behalf.
- Paper Ghosts: While the standard includes criteria for paper records, our experts have virtually never seen a modern SAQ A merchant that actually handles card data on paper in 15 years of assessments.
The Iframe Paradox
A significant "stealth" requirement exists for merchants using iframes to capture payments.
- Susceptibility by Design: Iframes are "by definition" susceptible to scripting attacks, where malicious code scrapes data directly from the customer's browser.
- "Hidden" Controls: To prove you aren't susceptible, the Council essentially requires you to meet requirements 6.4.3 and 11.6.1—technical controls for script inventory and integrity that are not technically listed in the body of the SAQ A document.
Tips for Completing Your SAQ A:
- The SNMP Trap: When hardening servers (Requirement 2.2.2), administrators frequently overlook SNMP community strings, which often serve as easily searchable default "passwords" for attackers.
- Break-Glass Strategy: Requirement 8 now accommodates emergency "break-glass" accounts. If your lead admin ("Lisa") wins the lottery and disappears, your organization needs a documented, management-approved protocol to get the new hire ("Bob") into the system securely.
- The Staff Turnover Gap: Quarterly ASV scans often fail because the one person responsible for them leaves the company, and the new hire is unaware the scans are even occurring. Redundancy—where management also receives scan results—is a critical operational fix.
- Compliance is Not Inherited: Just because AWS is compliant does not mean your implementation of it is.
- Responsibility Matrix: You must utilize your provider's Security Responsibility Matrix to identify exactly which controls are managed by the vendor, which are shared, and which are your sole responsibility.
- And More!
Resources:
Download the SAQ A: Official PCI SSC SAQ A 4.0.1 PDF
List of PCI ASVs: Approved Scanning Vendors
A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.
If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place
But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/