The PCI DSS 4.0 transition deadline is approaching on April 01, 2024, and we have a new type of reduced-scope self-assessment questionnaire (SAQ) to go with it: SAQ SPoC. If your organization is accepting payment cards via a device attached to a smartphone or tablet, e.g., a Square solution, then this may be the SAQ for you.

To get the PCI jargon out of the way, SPoC stands for "Software-based PIN entry on COTS". This refers to Secure Card Reader-PIN (SCRP) devices attached to commercial off-the-shelf (COTS) devices. In plain English, this means a special type of card reading device attached to a device like a tablet or smartphone.

Many merchants that use these types of devices don't realize they are required to comply with PCI DSS. The merchants often think the solution provider is responsible for compliance, but this is not the case. Any merchant that accepts payment cards is, at the very least, responsible for tracking the compliance and responsibilities of their service providers in accordance with requirement 12.8 and having an incident response plan in accordance with requirement 12.10.1. There will be other applicable PCI DSS requirements unless the merchant has completely outsourced all card handling to a third-party. For merchants using SPoC devices there are very few requirements, but they must still be met.

All of the other types of SAQs that we know and love (or hate) are still available. Each organization will need to review the qualification criteria for each SAQ to determine which type they qualify for or if they should use SAQ D if they do not qualify for any of the other shorter SAQs. As always, only merchants are eligible to use the reduced-scope SAQs. Service providers must always use the special service provider version of SAQ D, even if they meet all of the other criteria for a reduced-scope SAQ.

Merchants that have multiple payment channels must use SAQ D, even if they have a SPoC solution. These merchants can use the SAQs that are applicable to each payment channel, including SAQ SPoC, to help determine the scope and applicability of PCI DSS to each of their payment channels. The findings from all of the SAQs can then be combined into their SAQ D. Organizations that must complete a Report on Compliance (ROC) may also use SAQ SPoC to reduce the number of applicable requirements in accordance with PCI SSC FAQ 1331.

SAQ P2PE has been the standard for minimizing the scope of card-present transaction for a few years. There is only one additional requirement in SAQ SPoC that is not in SAQ P2PE, and it is related to passwords on the COTS device. The remaining requirements in both SAQ SPoC and SAQ P2PE are related to monitoring the devices for tampering, monitoring and management of third-party service providers, Incident Response, and handling of paper records (which most merchants don’t have).

The full qualification criteria for a merchant to use SAQ SPoC is as follows:

• All payment processing is only via a card-present payment channel.
• All cardholder data entry is via an SCRP that is part of a validated1 SPoC solution approved and listed by PCI SSC;
• The only systems in the merchant’s SPoC environment that store, process, or transmit account data are those used as part of the validated1 SPoC solution approved and listed by PCI SSC;
• The merchant does not otherwise receive, transmit, or store account data electronically;
• This payment channel is not connected to any other systems/networks within the merchant environment;
• Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• The merchant has implemented all controls in the SPoC user guide provided by the SPoC Solution Provider.

The use of a validated and listed solution is an important aspect. Your organization doesn't automatically qualify for SAQ SPoC just because you have a payment device attached to a mobile device. The specific solution your organization is using must be approved for it to qualify for SAQ SPoC. Your vendor should be able to provide you with a reference number for the solution that you can look up on the PCI SSC SPoC list if the solution has been approved. Alternatively, if your solution is on the P2PE validated list, you may use SAQ P2PE instead. The process to get a solution validated and listed with PCI SSC is performed by the vendor and requires an assessment by a PCI SSC approved company, so this is not something a merchant can do on behalf of the vendor. If your solution is not validated, you do not qualify for SAQ SPoC and must use another appropriate SAQ type.

It is also important to adhere to the requirements of the SPoC user guide. This document will be provided by the vendor and will be unique to each solution. Typically, the document will describe how to install the solution and any extra controls that need to be applied to the solution beyond the applicable PCI DSS requirements. Failure to adhere to the requirements of the SPoC user guide will make the organization ineligible to use the scope and applicability reductions of SAQ SPoC.

Unlike SAQ P2PE, SAQ SPoC requires the devices be separated from other systems and networks within the merchant environment. This is similar to the requirements of SAQ B-IP, which applies to more traditional payment terminals that have not been P2PE validated and are directly connected to a network rather than via a COTS device. Organizations will need to pay close attention to the network architecture and firewall rules where SPoC devices are in use to qualify. As with the failure to adhere to the user guide, an organization that does not implement this separation will not qualify for the benefits of SAQ SPoC.

TrustedSec has long recommended card-present merchants use a P2PE validated solution to reduce scope. SAQ SPoC is very similar to the existing SAQ P2PE in a few ways, and TrustedSec now recommends using either a P2PE or SPoC solution. These are among the smallest scopes of all the SAQ types and will save lots of time and effort compared to completing a full SAQ D. SAQ SPoC can be downloaded from the PCI SSC document library. TrustedSec is a QSA company, and is available to help organizations complete SAQ SPoC or determine which SAQ is right for them.