On November 18th the PCI Security Standards Council published version 2.0 of the Self Assessment Questionnaires (SAQs). These updated documents now align with the new version 2.0 of the PCI Data Security Standard.
The changes to the SAQs mostly involve minor refinements and clarifications, but one major change is the inclusion of a new type of SAQ: C-VT. This SAQ is a simplified version of SAQ C that is targeted at merchants who use virtual terminals to process payments. The SAQ defines a virtual termals as:
a web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Note that data is not read directly from the card, so no card readers or other swipe devices. The most accurate representation of a qualifying merchant would be someone at a personal computer typing in card numbers and getting authorization codes from a provider like Authorize.Net or Paypal.
Version 2.0 of the SAQs become available in January of 2011, but merchants can still choose to use version 1.2 instead throughout 2011 (you may not mix SAQ versions and DSS versions, however; everything must be either 1.2 or 2.0). Version 1.2 of both the DSS and the SAQs expire on December 31st of 2011.
In order to provide the most flexibility for merchants, QualysGuard PCI has added support for all version 2.0 SAQs, including wizards to help choose the proper SAQ version (A,B,C,C-VT,D), help text to provide guidance when completing the questionnaire, and full support for the milestone-based prioritized approach to the SAQs. Version 1.2 of the SAQs is also supported throughout 2011 for merchants choosing to use that version.
We hope you find the new capabilities helpful in achieving PCI compliance, and look forward to hearing your feedback.
More technical resources are available at QualysGuard PCI.