Q: Do I have to have my compliance validated by a Qualified Security Assessor (QSA)?
A: The major payment brands require level 1 and 2 merchants (or service providers) to utilize a QSA in order to complete a Report on Compliance (ROC) or to validate the merchant’s Self-Assessment Questionnaire (SAQ). In general, the number of transactions for VISA, Mastercard and Discover are the same. Level 1 merchants process more than 6 million transactions annually and Level 2 merchants process between 1 and 6 million transactions annually.
For more information on merchant levels click here.
Q: What are the most common reasons a company fails an annual PCI validation assessment?
A: Companies typically fail the annual PCI validation assessment due to one of these four reasons:
– Technology Gaps
– Knowledge Gaps
– Documentation Gaps
– Process Gaps
The only way to uncover these issues prior to an annual PCI validation assessment is by performing a PCI Gap Assessment. This assessment assesses each requirement set by the PCI-DSS that affects your compliance status, in order to determine where you are vulnerable and what you can do to remediate any issues.
Q: How long does the process take?
A: A typical PCI validation assessment takes between 90 to 120 days to complete. A QSA must conduct an on-site visit and assessment of the merchant’s current PCI status as it pertains to the 12 compliance requirements set forth by the Payment Card Industry Security Standards Council.
12 Requirements for PCI Compliance:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use default passwords for your system and other security parameters
3. Protect stored cardholder data – better yet, do not store cardholder data
4. Encrypt transmission of cardholder data across networks
5. Regularly update antivirus software
6. Develop and maintain secure systems
7. Restrict access to cardholder data
8. Assign a unique log in credentials to each individual with computer access
9. Limit physical access to cardholder data
10. Track and monitor access to network resources
11. Regularly test security systems and processes
12. Maintain and distribute an information security policy
Inability to meet these requirements may result in termination of credit card processing ability
Q: How do I know what merchant level I am and if my compliance status needs to be QSA-validated?
A: Customers should reach out to their merchant bank for guidance as to what merchant level they fall under according to their standards so the proper steps towards compliance are taken.
Q: How do I find a QSA?
A: In order to ensure that you work with a PCI-DSS certified QSA, you can access their approved providers by clicking here.
About the Author
Suraj Srinvas, VP Security Consulting at NuArx
Suraj brings over seventeen years of experience in Information Security, Compliance, Internal Audit and Risk Management. His experience spans the Insurance, Retail, Quick Serve and Fast Casual, Financial, Medical, Leisure and Manufacturing industries. His teams are tasked with understanding our client’s business objectives and identifying services that enhance their security posture, reduce risk and achieve compliance. We ensure the client’s strategic and tactical goals are accomplished as part of the overall assessment.