Keeping cardholder data safe and secure is an important part of your business as well as an agreement with your payment card brands and acquirers in order to accept the credit card based payments. Compromised data has a negative impact on everyone involved. Protecting data can help:
- Improve customer relationships
- Increase overall profitability in any program
- Prevent damage to your business’s reputation
This blog is part of our series of articles that will address frequently asked questions and provide a comprehensive guide on PCI DSS requirements and compliance.
Before we talk about QSA and on site assessment process for PCI compliance, heres a quick recap of the basics on PCI DSS.
What is PCI DSS?
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The PCI standards globally govern all merchants, programs, and organizations that store, process or transmit this data, and include specific requirements for software developers and manufacturers of applications and devices used in the transaction process.
PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, store, process, and/or transmit cardholder data. Standard PCI DSS presents common sense steps that mirror best security practices you can follow toward minimizing the threat of data compromise and maintaining customer trust.
What is a Qualified Security Assessor (QSA)?
Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by QSA Companies and they have satisfied and continue to satisfy all QSA Requirements. Active QSA Employees can be found through a search tool on the PCI SSC Website.
Selecting the best Qualified Security Assessor (QSA) is critical. An experienced and knowledgeable QSA can help identify and assess card data security risks and assist organizations in reviewing the security of organizations payments transaction systems, personnel and processes to assess and validate compliance with PCI DSS.
QSA responsibilities include the following:
- Validating and confirming Cardholder Data Environment (CDE) scope as defined by the assessed entity.
- Selecting employees, facilities, systems, and system components accurately representing the assessed environment if sampling is employed
- Being on-site at assessed entity during the PCI DSS Compliance Assessment
- Evaluating compensating controls as applicable.
- Providing an opinion about whether the assessed entity meets PCI DSS Requirements
- Effectively using the PCI DSS ROC Reporting Template to produce Reports on Compliance
- Validating and attesting as to an entitys PCI DSS compliance status
- Maintaining documents, workpapers, and interview notes that were collected during the PCI DSS Assessment process and used to validate the findings
- Applying and maintaining independent judgement in all PCI DSS Assessment decisions
- Conducting follow-up assessments, as needed
- Stating whether or not the assessed entity has achieved compliance with PCI DSS
Do you require a Qualified Security Assessor (QSA)?
To demonstrate compliance with the PCI DSS, merchants and service providers may be required to have annual onsite PCI DSS Assessments conducted as required by each Participating Payment Brand.
PCI DSS Assessments are required to be conducted by a QSA Company through its QSA Employees in accordance with the PCI DSS, which contains requirements, testing procedures, and guidance to ensure that the intent of each requirement is understood.
The QSA Employee will document in the ROC the results of the PCI DSS Assessment, including which portions of the PCI DSS Assessment were conducted onsite. The ROC must accurately represent the assessed environment and the security controls evaluated by the QSA Employee.
Merchants and service providers should consult with their acquirer or participating payment brands to confirm what PCI DSS validation and reporting method is applicable. If on-site assessment and ROC is the appropriate method, they should also confirm the acceptable method of reporting per their acquirer or the participating payment brands.
An RoC usually applies to Level 1 and 2 merchants and service providers, but organizations that have to complete a self-assessment questionnaire (SAQ) will find that using a QSA lends greater credibility to the completed SAQ.
Do you require an on-site assessment?
For the Level 1 Merchants and Level 1 Service Providers an annual onsite security assessment is a requirement, in order to perform a detailed onsite examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed or transmitted. It must be performed by a QSA and submitted annually to the payment brand on the applicable Attestation of Compliance (AOC). The AOC must certify compliance with all requirements of the PCI DSS and, upon request, include copies of the full report on compliance.
For the Level 2-4 merchants or Level 2 service providers an onsite security assessment is not a requirement, however the acquirer or payment brand may direct an entity to perform an onsite security assessment.
If you are not required to perform an onsite security assessment, a QSA can review the responses to Self Assessment Questionnaire (SAQ) and all submitted documentation to validate your organizations PCI compliance. Whether you are required to have a QSA onsite to perform PCI assessment or not, it is important to consider the cost benefits of having a QSA onsite to perform an assessment. A QSA onsite can:
- Conduct extensive interviews with the personnel who have access to or manage the cardholder environment (CDE) to assess the overall compliance level with relevant requirements
- Provide PCI assessment and advice in order to effectively protect the card data from external and internal threats as well as help create best practices in making security a BAU (business as usual) component within the organization
- Engage in scope reduction exercise by reviewing the network environment and physical locations in order to lower assessment and CDE maintenance costs and increase security.
- Conduct physical walkthroughs and observe security implementation, configurations, and that security awareness training practices and procedures are in place.
- Evaluate, verify and validate security controls in place in person
It may be beneficial for an organization to conduct an annual on-site assessment and periodic remote assessments in order to create and maintain a secure CDE as well as manage cost-effective PCI compliance on an ongoing basis.
The tables below provide a general guide to determine compliance reporting and compliance validation requirements for the merchants and service providers. Please contact your acquiring bank or payment brand (for service providers) for the level and reporting requirements specific to your organization.
Table 1 – General Merchant Levels and PCI reporting requirements
| Criteria | Merchant Level | PCI Compliance Requirements |
| 6M or more card transactionsOrIf the acquirer or payment brand determines | Level 1 |
|
| More than 1M and less than 6M card transactions | Level 2 |
|
| More than 20,000 and less than 1M card transactions | Level 3 |
|
| All others | Level 4 |
|
Service Provider Levels and PCI reporting requirements
A service provider is a business entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.
Table 2 – Service Provider Levels and PCI reporting requirements
| Criteria | Service Provider Level | PCI Compliance Requirements |
| store, process, or transmit more than 300,000 credit card transactions annually | Level 1 |
|
| store, process, or transmit less than 300,000 credit card transactions annually | Level 2 |
|
What are a few quick steps you can take to ensure credit card data security?
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software most are unsafe.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or skimming devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI Data Security Standards.
| Data Do’s | Data Don’ts |
| Do understand where payment card data flows for the entire transaction process | Do not store cardholder data unless its absolutely necessary |
| Do verify that your payment card terminals comply with the PCI Personal Identification Number (PIN) Transaction Security (PTS) requirements | Do not store sensitive authentication data contained in a payment cards chip or magnetic stripe, including the 3-4 digit card verification code or value printed on the front or back of the payment card, after authorization. |
| Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS) | Do not have payment terminals print out personally identifiable payment card data; printouts should be truncated or masked |
| Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure its protected. | Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smartphones |
| Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals | Do not locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room |
| Do ensure that third parties who process your customers payment cards comply with PCI DSS, PTS and/or PA-DSS as applicable. Have clear access and password protection policies. | Do not permit any unauthorized personnel to access stored cardholder data |
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
About RSI Security
RSI Security is the nation’s premier information security and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulations. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).
