How Do I Know If I Have to Be PCI Compliant?
Payment Card Industry compliance is intended to make credit and debit card transactions more secure and to protect cardholders against misuse of their personal information. This article explains who must be PCI compliant, the levels of compliance, the role of PCI experts, and the types of reporting that must be completed.
What is the PCI DSS Standard?
The PCI Data Security Standard (PCI DSS) is a standard developed and maintained by the PCI Security Standards Council. It is designed to help organizations appropriately protect their customer’s credit and debit card data. PCI DSS specifies the security controls that an organization needs to implement based upon the specifics of how they process cardholder information.
Who Needs to Be Compliant with PCI DSS?
The PCI DSS standard is designed to protect the personal data of credit and debit card users. For this reason, the standard applies to any organization that processes, stores, or transmits cardholder data. If your organization accepts cardholder data, you are responsible for ensuring that the data is protected by the necessary security controls throughout its entire lifecycle. This includes ensuring that any vendors that process, store, or transmit data collected by you are doing so in compliance with the PCI DSS standards.
Levels of PCI Compliance
There are four merchant levels of PCI compliance as mandated by Visa and Mastercard largely based on credit card processing volume. They are as follows:
- PCI Compliance Level 1 – More than six million Visa and/or Mastercard transactions processed per year
- PCI Compliance Level 2 – One to six million Visa and/or Mastercard transactions processed per year
- PCI Compliance Level 3 – 20,000 to one million Visa and/or Mastercard e-commerce transactions processed per year
- PCI Compliance Level 4 – Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to one million Visa transactions per year
Types of PCI Compliance Reporting
PCI compliance reports come in two different types. The types of reports that your organization must complete are generally based upon the ways your organization processes cardholder data and the volume of card transactions processed each year. However, this is at your merchant bank’s discretion and can change depending on several factors including a company’s history of reporting compliance and the status of that reporting.
The first type of compliance report is called a Self-Assessment Questionnaire (SAQ). If your organization processes any payment card data (i.e. is subject to PCI DSS), then you are required to complete a SAQ at minimum. PCI DSS provides SAQs to help organizations determine the PCI DSS security controls with which they need to comply. There are several different levels of SAQ labeled A through D. SAQ A requires the fewest security controls to be implemented and SAQ D is the most stringent. An Attested SAQ D requires a qualified security assessor to be involved. The determination of which SAQ applies to your organization can be found here.
If your organization is a Level 1 merchant (over 6 million transactions per year), you are required to complete a PCI DSS Report on Compliance (ROC). Merchants at other levels may also be required to complete a ROC on a case-by-case basis determined by the acquirer (bank). The reporting template for a ROC assessment is provided by PCI and is a good starting point for determining the security controls required for your organization.
Qualified Security Assessor Role in PCI Compliance
Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to professionals it deems qualified to perform PCI assessments and consulting services. A person must meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, and is an employee of a Qualified Security Assessor (QSA) company in order to perform PCI compliance assessments.
QSA training and certification are rigorous, designed by the PCI council to ensure a deep knowledge and understanding of PCI compliance requirements to be able to carry these standards forward.
In addition, the PCI Council recently created the designation of Associate QSAs (AQSA) to help fill demand for PCI compliance professionals and to provide a path to enable QSA companies to develop new resources into fully qualified QSA employees. AQSAs are qualified by PCI SSC to support QSA employees on PCI DSS assessments.
What Should I Do Next?
After determining that your organization is subject to the PCI DSS standard, the next step is determining the appropriate reporting type. The requirements vary between a SAQ and a ROC report and between the varying levels of SAQs. Understanding the exact requirements that your organization needs to meet to achieve PCI compliance is important for appropriately allocation of time and resources.
Sword & Shield offers PCI compliance and virtual QSA services to help relieve this burden. Our QSAs and AQSAs assist you throughout the compliance process, using their knowledge of PCI DSS to apply controls to your business. Learn more here or reach out for a free consultation to get started.