Maintaining compliance is essential to ensure the security of payment data and to continue processing transactions through the Rock transaction entry block.
3rd party vendors can help you streamline managing compliance (Qualys, Sectigo, or Tenable.io for ASV scans and SecurityMetrics, Akamai, or Feroot Security for payment page monitoring).
1. Annual SAQ D Submission
Clients utilizing the Rock transaction entry block are classified under a compliance model that requires the annual completion of a specific PCI Self-Assessment Questionnaire.
Requirement | Details |
Document Required | Self-Assessment Questionnaire D (SAQ D) |
Compliance Clock Start | The 12-month compliance cycle begins immediately upon the first use/activation of the Rock transaction entry block. |
Frequency | The SAQ D must be completed and renewed every twelve (12) months. |
Submission to Subsplash | Only the Attestation of Compliance (AOC) portion of the SAQ D must be submitted to Subsplash. |
Submission Email | Please email your completed SAQ D AOC to our Merchant Operations team: merchantops@subsplash.com |
2. Quarterly Approved Scanning Vendor (ASV) Scans
Clients are required to perform external vulnerability scans using an Approved Scanning Vendor (ASV) to ensure continuous network security.
Requirement | Details |
Frequency | ASV Scans must be performed quarterly (every three months). |
Purpose | To identify and mitigate vulnerabilities in the external network environment that could potentially be exploited. |
Submission to Subsplash | The results of the quarterly ASV scans are not required to be submitted to Subsplash, but they must be retained by the client for compliance auditing purposes. |
ASV Vendor Recommendations
Clients must choose a vendor from the official PCI SSC Approved Scanning Vendors list. Below are three commonly utilized options:
Qualys: Offers a comprehensive PCI compliance solution integrated with one of the industry's largest vulnerability scanning platforms.
Sectigo (HackerGuardian): Known for providing a simple, automated solution, often at a competitive price, with options for unlimited, on-demand scans.
Tenable.io: Leverages the power of the popular Nessus vulnerability scanner within its dedicated PCI ASV workbench service.
3. Payment Page Script Monitoring (PCI DSS 6.4.3 & 11.6.1)
As the Rock transaction entry block is embedded on the client's website, clients must ensure compliance with new PCI DSS requirements related to monitoring and managing all client-side scripts.
PCI DSS Requirement 6.4.3: Ensure that all payment page scripts (including third-party scripts) are inventoried, authorized, and their integrity is verified.
PCI DSS Requirement 11.6.1: Implement a mechanism to detect and alert personnel to unauthorized modification of the contents of the payment page (tamper detection).
Compliance Solution Recommendations
Complying with these requirements often involves implementing a specialized client-side security solution. Below are three vendors known for offering tools to address these specific requirements:
SecurityMetrics (Shopping Cart Monitor): Offers a solution that explicitly addresses the inventory (6.4.3) and tamper-detection (11.6.1) needs for client-side payment pages.
Akamai (Client-Side Protection & Compliance): Provides a comprehensive platform for client-side protection to help manage third-party scripts and detect malicious activity (e-skimming).
Feroot Security (PaymentGuard AI/PageGuard): Specializes in client-side security and offers products designed to automate compliance with 6.4.3 and 11.6.1 by continuously monitoring script behavior.
Disclaimer: These vendor recommendations are provided for informational purposes only. Clients are responsible for performing their own due diligence to select the ASV and payment page security vendor that best fits their specific environment, budget, and compliance needs.
Action Summary for Submission
Requirement | Frequency | Submission Required to Subsplash? |
SAQ D AOC | Annually | YES |
Quarterly ASV Scans | Quarterly | NO (Must be maintained by Client) |
PCI 11.6.1 & 6.4.3 Compliance | Continuous | NO (Must be maintained by Client) |
Please send the required SAQ D AOC to: merchantops@subsplash.com