NAVIS FAQs Navis RapidSAQ at a high level The processes for self-evaluation, SAQ derivation, remediation tracking, and reporting can be difficult for many organizations to track. The Navis® RapidSAQ™ service simplifies the process through: • • • • • • • An intelligent expert-system questionnaire that identifies and builds the appropriate SAQ validation forms based on simple questions; Intuitive online help that clarifies and interprets difficult SAQ control questions; A compliance planning scheduler that helps you identify and keep track of important SAQ compliance dates; A remediation planner that helps you identify and track remediation efforts to get you in compliance; Rapid reporting features that allow you to quickly build all required SAQ forms and documents; The ability to interact with online or live professional audit support while completing your SAQ; Hierarchical organization reporting features that allow highly structured merchant/ service provider entities to roll-up SAQ reports to top-level reporting entities. The Navis RapidSAQ experience The SAQ can be found under the "Assessments" tab within the Navis® RapidSAQ™ service navigation. This link will take you to your questionnaire jump page, where you can view all assessments, the current progress, and other information. There are 9 SAQs within the PCI SAQ 3.0. The merchant is responsible for determining eligibility for these SAQs based on the complexity of your card acceptance processes and technologies. Navis® RapidSAQ™ contains smart-logic that will determine which SAQ Schedule is appropriate for your organization and then ask you the appropriate set of questions from that category. In order to accomplish this, Navis® RapidSAQ™ will ask you a series of questions within an Environment survey. Navis will determine the appropriate SAQ for your organization once you have completed all of the questions within the Environment survey. Your calculated SAQ Schedule will be displayed in the “RapidSAQ 3.0 Definition” box, which is displayed at the far right side of the assessment page. Once you have completed the Environment survey, you can move to the Controls survey. The Controls survey is a compilation of all PCI SAQ control questions that apply based on your calculated SAQ. Saving your responses You may save your responses at any time during the questionnaire process. Your answers will be saved to the database once you click the "Save" button, which appears at the bottom of all questionnaire pages. You do not have to hit "Save" before you traverse from questionnaire steps, although Coalfire strongly recommends that you save your responses frequently. The application will automatically time-out your session after 40 minutes of inactivity. If you reach the session timeout before you have saved your results, your changed answers will be lost. Completing the Environment Survey An accurate and complete PCI SAQ will always begin with a strong analysis of your cardholder data environment (CDE)- the environment where cardholder data is stored, processed and/or transmitted. This environment isn't just technology- it's processes for card acceptance and handling, the places where it may be located, and the people responsible for its care. Defining this environment, and how it impacts the controls you must validate, can be difficult to complete. The Navis® RapidSAQ™ relies on a powerful set of tools within the Environment survey to help flush out these details. The survey will use your responses to determine the applicable SAQ Schedule and control questions. Most of these questions will concentrate on your payment acceptance processes and payment technologies. Some questions can get very specific, so be sure to carry a firm understanding of this environment into the survey! Completing the Controls Assessment The number of PCI DSS control questions will vary greatly, depending on SAQ schedule selected for your company. To see exactly how these questions relate to your SAQ Validation Type, refer to the PCI DSS Self-Assessment Questionnaire, Instructions and Guidelines document. Within the Navis® Rapid SAQ, PCI DSS control questions can be answered in one of six ways. Questions may be marked as a "Yes", a "No", or "Yes with CCW", “Not Applicable”, “Partial” and “Not Tested”. • • • • • Yes- A response of Yes indicates that you have tested the control and it is in place across your cardholder data environment. No- A response of No indicates that the control is not fully in place across your environment. Not Applicable- A response of Not Applicable indicates that the control does not apply to your environment. Note: You will need to document the rationale for nonapplicability within a special text box that appears next to this question. Yes with CCW- The control is not in place as written, but is in place due to compensating controls our organization has established that carry the same preventative weight as the original control. Please note that compensating controls require diligent documentation according to Appendix D of the PCI SAQ. Merchants considering this response are strongly encouraged to seek the guidance of a QSA. Not Tested- A response of “Not Tested” implies that the control was excluded for testing in the assessment. This response should be used only on the guidance of an acquiring bank and/or a QSA. Documenting your remediation plan Any merchant or service provider that files an SAQ Form B, C, or D must specifically document remediation dates for any of its non-compliant DSS requirements. The Navis® RapidSAQ™ will automatically tally your non-compliant items from the questionnaire and compile them into a list for remediation planning. You may access this list by clicking on the "Manage Remediation" tab within the Navis® RapidSAQ™ service navigation. Each non-compliant response entered within the questionnaire will appear within a list on this page. The list will include the question name and requirement number, along with any remediation information you have defined against the non-compliant item. Clicking on any item allows you to change or edit the item's remediation properties. These properties include: • Remediation start date and end date. These are the dates during which the noncompliant item will be fully remediated and brought into compliance. • • • Remediation Owner. The Remediation Owner is the person who is internally responsible for ensuring the item is brought into compliance. By default, this is the person who originally marked it as non-compliant. Remediation Action (optional). This field allows you to enter the precise remediation actions that will be taken to bring the control into compliance. Status. Allows updates in status as the remediation actions take place. Available options for Status include Undefined, Open, and Closed. NOTE: Marking a remediation action as "Closed" will automatically change your non-compliance questionnaire response to a compliant response. At a minimum, all non-compliant items must be modified to include a Remediation Start and End Date. This information is required in order to submit a complete SAQ report. Building your formal SAQ report You may generate a "Draft" PDF document of your SAQ form at any time after you initiate you complete the "SAQ Attestation" section within the Navis® RapidSAQ™ Questionnaire. The Draft version will look like the final version so make sure that you have fully completed the SAQ in its entirety prior to printing your final copy for submission. You may generate a submission-ready PDF document of your SAQ form once you have: 1. Completed all required questions within the Navis® RapidSAQ™ Questionnaire (i.e., the Progress Meter reaches 100%); AND: 2. If any non-compliant items are present, then appropriate remediation actions have been identified; OR: 3. No non-compliant responses are present (and therefore do not need to be remediated). Reports may be generated by clicking on the "Reports" tab within the Navis® RapidSAQ™ service navigation. This page will display a list of all purchased reporting organizations, along with "report" buttons that appear next to each RO name. A PDF report may be generated by clicking on this button. The report will open in a new window. You may need to disable any popup blockers or other security tools that disable popup web windows.