Here’s the bottom line. If you are a retail merchant that accepts credit cards, you need to comply with PCI Data Security Standards (DSS). If you process, store, or transmit cardholder data on behalf of your customers, you may be subject to PCI DSS as a Service Provider.
But what does that all really mean to the operation of your business?
PCI is a catch-all term that refers to debit and card security. The Security Standards Council, or SSC, develops the DSS, coordinates education and training, and promotes public awareness. The SSC was founded by five global payment brands – Visa, MasterCard, Discover, AmericanExpress, and JCB International.
The DSS itself is a set of standards with 6 goals and 12 requirements for securing cardholder data, including the following:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Who enforces compliance of PCI?
Compliance is enforced by the payment card brands and their partners.
What is a QSA?
QSA stands for Qualified Security Assessor. QSA companies, like Sera-Brynn, have employees trained by the SSC to audit compliance with DSS.
Do I need a QSA to perform my compliance audit?
This is determined by your acquiring bank with input from the card brands. If your company processes a large number of transactions or has experienced a data breach, you will be required to use a QSA to audit your cardholder data environment. You may choose to use a QSA for help interpreting the requirements of the DSS and ensuring that any statements you provide are accurate.
What is a SAQ?
A SAQ is a Self-Assessment Questionnaire. This allows the business to assess and certify their own cardholder data environment. There are 8 different SAQ types, which one you’ll choose depends on how you process transactions. For example, a merchant that only accepts online payments with no face-to-face transactions may be eligible to use SAQ A or SAQ A-EP.
Who is responsible for merchant compliance?
The acquiring bank is liable for merchant compliance. But if your business is found to be the cause of a data breach, fines and fees will be passed to you.
Your bank may assess a monthly non-compliance fee (usually $20-40) if your company has not completed an Attestation of Compliance. This fee is determined by your processor, NOT by the SSC. However, if your business has engaged a QSA to assist with compliance many will waive the fee.
All merchants regardless of size must conduct quarterly scans of the in-scope environment using an Approved Scanning Vendor (ASV).
What key things should businesses that accept credit cards do?
Determine the environment that is in-scope for an assessment. Anywhere cardholder data is collected, stored, or transmitted is generally considered in-scope. With your acquiring bank or payment brands, determine if you are eligible to complete a Self-Assessment Questionnaire (SAQ) or if you must use a QSA.
What should I do if I am eligible to complete a SAQ?
Select the correct SAQ. Only SAQ D requires you attest to every requirement, the others have a subset of controls that apply to the type of card processing you do. Review the DSS and begin to gather documentation. Complete the assessment and develop a plan to address any non-compliant items.
Following the assessment, conduct remediation actions. Finalize the documentation and complete the Attestation of Compliance.
Finally, submit the AOC to the acquiring bank or card payment brands as required.
Remember, the SAQ is a snapshot in time but DSS compliance is on-going. You must maintain compliance at all times.
If I am required to use a QSA, what now?
Identify the QSA company who will conduct the audit.
Identify the employees or individuals who play a role in the assessment.
Review the DSS and gather or create needed documentation.
Coordinate with the assessor prior to the onsite visit. The assessor will need to schedule interviews, conduct technical tests, and evaluate documentation. In many cases, the assessor will sample an environment that is consistent. For example a retail merchant with hundreds of stores will not have the assessor visit each location.
Once the assessment is complete, the assessor will issue a Report on Compliance.
A fully compliant merchant can then submit an Attestation of Compliance, or AOC. Any requirements not met will be identified in a gap analysis, and the merchant must develop a plan to address them.
Conduct remediation actions as needed.
Submit the AOC to the acquiring bank or card payment brands as required. Remember, the ROC is a snapshot in time but DSS compliance is on-going. You must maintain compliance at all times.
Questions? Contact us.