Search code examples
pci-dss

PCI DDS SAC D for small business with one emploee

I'm trying to figure out how to properly fill in PCI SAC D compliance form for a startup business with the only one owner/architect/developer/admin/QA/etc - all of them is me alone.

It's a web app for selling a particular intangible service. No card information is going to be stored. The reason for SAC D - I'd prefer to do some validation logic on my server side and have a total review and confirmation page that match the rest of UI.

Hosting environment will be AWS Beanstalk + RDS.

When I read it, common sense tells me to ignore statements like "Interview personnel" or "Review policies & procedures", but I expect that large corporate minds are not usually driven by common sense but by rules.

  • I can hardly imaging formal process of interviewing myself and documenting what I've asked and what I've said, especially the benefits of doing that.
  • Most of the questions in Requirement 8 make no sense either.
  • Questions that assume that stuff is more then one employee make no sense.

Can those be skipped (N/A-ed) or should I formally do the exercise and generate some funny nonsense?

Thank you!

Solution

  • You can N/A those questions.

    Remember the SAQ is a SELF Assessment Questionnaire, not a test you are taking. The payment card industry is more concerned about your adherence to the "spirit" of PCI-DSS rather than hard fast rules. It's more about protecting cardholder data than it is complying with things that don't apply to your case. (Although anything that does apply should definitely be followed as a hard rule.)

    If you did get audited, it would probably only be because you had a breach, which obviously would NOT be because you didn't "interview yourself" and put on a security ID badge when you sat down in front of your development computer :-D and I don't think you'd have any trouble at all getting that point across to the QSA.

    Now, having all your security policies and procedures, network diagrams, firewall, etc. documented and reviewed periodically does apply, since for security guidelines to be followed on a continual basis, they must be reviewed on a continual basis. For these, just use common sense. In other words, go over your firewall rules and such at least as often as PCI-DSS requires and ask yourself, "Do I still need this ALLOW SNMP port 161 rule to be in effect?" etc. etc...Oh dear I think I just told you to interview yourself... :-D

    Anyway, you get the idea.