Are You Ready for a ROC?
We recently answered the question, “How do I know if I have to be PCI compliant?”. That post is a good way for those new to the Payment Card Industry (PCI) world to learn some of the basics. Now, are you ready for a ROC? In this second installment of our three-part PCI compliance series, we will go more in depth to explain the PCI Report on Compliance (ROC) and how to prepare for one.
What is a PCI-DSS ROC?
A PCI ROC is an assessment designed to test the effectiveness of the security controls that an organization has set up to protect cardholder data. The ROC was created as part of a collaboration between American Express, Discover, Visa, and MasterCard, and JCB International.
During a ROC, a third-party auditor, a Qualified Security Assessor (QSA), assesses whether the implementation of an organization’s policies, procedures, and security controls adequately protect cardholder data. The resulting Attestation of Compliance report is sent to the acquiring bank to verify compliance.
Do I Need a ROC?
Whether or not an organization needs a ROC assessment is based upon the volume of transactions processed by the organization and the credit card provider(s) that they partner with. If an organization is a Level 1 merchant (performing more than 6 million credit/debit card transactions per year), they are required to perform an annual ROC assessment. However, a card company can also require ROC assessments from merchants at other levels on a case by case basis.
What Happens if I Don’t Complete a Required ROC?
While PCI DSS requirements are developed and maintained by the PCI Security Standards Council (SSC), these standards are enforced by the five payment card brands: Visa, MasterCard, American Express, JCB International and Discover.
Whether you must complete a ROC or a Self-Assessment Questionnaire (SAQ), failure to comply with PCI requirements can lead to heavy fines and penalties, revocation of credit card payment services, or even account suspension.
Fines can range from $5,000 to in excess of $100,000 per month for PCI compliance violations. Repeat offenders can incur additional fines. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS the company should be on, and the amount of time it has been non-compliant.
In addition to these “hard costs”, PCI infractions can be high-profile and result in damage to the image and reputation of the violator. After all, PCI compliance is designed to protect card holders. If a merchant cannot prove it is carrying out PCI DSS controls, consumers revoke their trust in the company.
Am I Ready for My ROC?
The PCI-DSS standard is designed to help organizations properly secure cardholder data. The expected security controls and testing methodologies are freely available to allow organizations to identify and correct any shortcomings in their existing security strategies.
The official reporting template used by a QSA during a ROC assessment is available on the PCI website. The earlier an issue is identified and corrected, the less likely it is to cause a breach or failed ROC assessment.
The best way to prepare for a ROC is to perform an internal assessment using this document to identify any shortcomings in your organization’s current security controls. These issues can then be corrected before the actual assessment, improving the probability of passing a ROC and the security of the personal data your organization processes, stores, or transmits.
Ideally, these ROC self-assessments should be worked into your organization’s security plan, with the company’s compliance being assessed on a regular or continuous basis. As components are added, updated, or upgraded, the configuration should be tested to ensure compliance with the standard.
For those new to PCIs and are asking themselves if they are ready for a ROC, Sword & Shield offers a PCI readiness assessment to make sure you’re prepared for the audit.
Sword & Shield also offers a full range of PCI compliance services. We take the burden off you by providing expert QSAs, security engineers, technical writers, and more to provide world class, competitively-priced PCI services to help you fulfill your requirements. We also offer required penetration testing services and monitoring and logging through our award-winning managed security services.