ASV Vulnerability Scanning Service Announcement

/0 Comments/in , ,

Dear Valued Customer,

 

Thank you for your continued support and trust in SVITI (Secure Vectors International Technologies Inc.). To help your company efficiently complete quarterly PCI DSS ASV (Approved Scanning Vendor) vulnerability scans, SVITI offers ASV account setup and scanning services through the Qualys platform. This support is designed to alleviate challenges related to heavy workloads or managing large number of accounts.

 

Going forward, we will provide an ” Authorized Scanning Service Application & Consent Form” based on the current expiration date of each customer’s ASV account. This form will confirm the scan targets and complete the authorization process. Once this is finalized, SVITI will officially take over and perform the scans on your behalf. For accounts that have not yet expired, the current process will remain unchanged until the accounts have been converted.

 

The service process is described below:

  1. Provide and complete the “Authorized Scanning Service Application & Consent Form” to confirm the scanning targets for each quarter.
  2. The first scan will be conducted mid-quarter, with an initial report provided for reference.
  3. Clients must complete remediation within two weeks, after which a re-scan will be scheduled.
  4. If the remediation period exceeds two weeks or the number of re-scans exceeds two, additional fees will be charged.

 

We will continue to optimize our process and introduce more services tailored to our clients’ needs, aiming to provide your company with more comprehensive compliance support.

If you have any questions or require further clarification, please feel free to contact us at any time.

 

Best regards,

Secure Vectors Information Technologies Inc.

2025-06-01

What is your SAQ Type?

/0 Comments/in ,

What is your SAQ Type?

PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.

SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.

Table of Contents

5 Steps for PCI DSS SAQ Self-Assessment:

  1. Select the SAQ type applicable to you.
  2. Verify that the scope of your PCI DSS environment is accurate.
  3. Self-assess if
    your environment is compliant with PCI DSS requirements.
  4. Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
  5. Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!

 

For e-commerce, these SAQ versions may apply:

  • Service Providers

SAQ D for Service Provider:

Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.

  • Merchants

SAQ A:

For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.

SAQ A-EP:

For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.

SAQ D for Merchant:

For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.

There are 10 different types of PCI DSS SAQs, each determined by the type of payment services you provide. The appropriate SAQ type is typically identified by your acquiring bank or with assistance from a Qualified Security Assessor (QSA), who can review your Cardholder Data Environment (CDE), cardholder data processes (such as card number handling), and data flow to accurately determine the applicable SAQ type. Alternatively, you can refer to the following PCI DSS SAQ type descriptions for a preliminary assessment. For your preliminary assessment, refer to PCI DSS SAQ types provided below.

If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.