Per a study from TSYS, 80 percent of US consumers prefer credit or debit card payments over cash and other options. So, if your organization doesn’t process card payments, you potentially inconvenience four out of five prospective customers—which, at scale, isn’t beneficial. Still, consumers are concerned about the security of their financial data when paying with a card. Businesses must secure all card payments through compliance with the Payment Card Industry Data Security Standards (PCI DSS). Completing a PCI Attestation of Compliance (AOC) is a critical step to complying and earning customers’ trust.
Steps Toward Completing Your PCI Attestation of Compliance
The PCI DSS applies to all organizations that store, transmit, or otherwise process cardholder data (CHD). It was developed by the Security Standards Council (SSC) and is enforced through the SSC Founding Members (Visa, Mastercard, Discover, AmEx, and JCB). Filling out an AOC is required for all but the smallest businesses, and completing it generally involves three steps:
- Determining your Merchant Level and whether an AOC is required for compliance
- Filling out your Self-Assessment Questionnaire (SAQ) to prepare for verification
- Working with a PCI-certified assessor to verify your SAQ through an AOC form
Working with a PCI compliance partner facilitates all steps of the process.
Step 1: Know Your PCI Level and its Requirements
Not all organizations who need to be PCI compliant are required to submit an AOC. However, many are—and what determines eligibility is a company’s PCI Level, which corresponds to their annual transaction volume. PCI Levels are determined by particular SSC Members, such as Visa and Mastercard. Their definitions differ slightly, but their requirements are similar.
There are also slight differences in PCI Level between merchants and service providers.
Note that PCI DSS compliance isn’t federally mandated. However, any data breach or other non-compliance infraction can result in significant fines from the card issuing companies, along with other consequences such as seizure of service, depending on severity. Enforcement may also depend upon PCI Level, but it more commonly depends upon the infraction itself.
What are the Levels of PCI Compliance for Merchants?
- PCI Merchant Level 1 – All merchants who process over six million transactions per year, across all channels, must be audited by a Qualified Security Assessor (QSA), which leads to a Report on Compliance (ROC), along with the required AOC.
- PCI Merchant Level 2 – All merchants who process between one million and six million transactions per year, across all channels, must fill out the SAQ and verify it via AOC.
- PCI Merchant Level 3 – All merchants who process between 20 thousand and one million e-commerce transactions per year must fill out the SAQ and verify it via AOC.
- PCI Merchant Level 4 – All merchants who process fewer than 20,000 e-commerce transactions or one million total transactions per year must fill out the SAQ form.
Note: Like the ROC, an AOC at Levels 2 and 3 must be filled out by a PCI-certified QSA.
The other major processor for US-based organizations is Mastercard, and its Merchant Level definitions are nearly identical—however, it requires just a SAQ (no AOC) for Levels 2, 3, and 4.
What are the Levels of PCI Compliance for Service Providers?
Merchants aren’t the only organizations who must comply with the PCI DSS. According to the PCI SSC glossary, a service provider is a company that is directly involved with processing or storing CHD or related information pertaining to cards issued by SSC Founding Members. The PCI Levels for compliance applicable to service providers, according to MasterCard, include:
- PCI Service Provider Level 1 – Various third-party processors (TPPs) and related service providers, along with data storage entities (DSEs) and payment facilitators (PFs), provided they process over 300,000 transactions per year, must submit an ROC form.
- PCI Service Provider Level 2 – Lower-volume DSEs and PFs, processing fewer than 300,000 transactions per year, along with terminal servicers (TSs), must submit a SAQ.
Mastercard requires all service providers to submit an AOC alongside other documentation. All organizations, except Merchants at Level 4, need to work with an assessor to verify compliance.
Step 2: Fill Out Your Self-Assessment Questionnaire
All PCI-eligible companies, except for those required to submit ROC documentation, must complete the SAQ. The AOC form is a verification of answers submitted in the SAQ (or ROC).
Like the PCI Levels, there are slightly different variations on the SAQ form depending on the kind of organization filling it out. For example, there are seven particular versions for merchants who use different technologies to collect, retain, and generally process CHD—those who fully outsource CHD processing use SAQ-A, and those with imprint-based collection technologies use SAQ-B. There is also a catch-all SAQ for all other merchants and service providers.
Every SAQ has the same format. It asks simple yes or no questions about the 12 Requirements within the PCI DSS, with room to elaborate on alternative methods that are used to meet them.
What DSS Framework Elements Are Assessed in SAQ Forms?
The core of the PCI DSS comprises 12 Requirements, which are distributed across six Goals:
- Maintain Secure Networks and Systems
- Requirement 1 – Maintain firewall configurations to protect CHD
- Requirement 2 – Replace vendor-supplied and default settings
- Protect all Controlled Cardholder Data
- Requirement 3 – Safeguard all CHD that exists in storage
- Requirement 4 – Encrypt CHD for traffic on public networks
- Maintain Threat and Vulnerability Management
- Requirement 5 – Maintain up-to-date anti-malware protections
- Requirement 6 – Maintain security of developed apps and software
- Install and Maintain Access Control Protections
- Requirement 7 – Restrict CHD access by users’ business need to know
- Requirement 8 – Authenticate identity for access to systems containing CHD
- Requirement 9 – Physically restrict all access to systems containing CHD
- Monitor Network Activity and Assess Security
- Requirement 10 – Monitor network access related to CHD environments
- Requirement 11 – Assess network and system security at regular intervals
- Develop and Maintain Formal Security Policies
- Requirement 12 – Maintain policies addressing security for all personnel
Note: Irrespective of Level and AOC or ROC requirements, all PCI-eligible organizations must work with an Approved Scanning Vendor (ASV) for Requirement 11.
Step 3: Verify An SAQ or ROC with Full AOC Certification
Once an organization’s implementation has been assessed, whether internally (via SAQ) or externally (via ROC), it’s time to verify the assessment via AOC. In the case of a ROC audit, the same QSA who is completing the ROC will likely also complete the AOC documentation—the ROC is, after all, a less intensive version of the AOC. Merchants at Levels 2 and 3 or Service Providers at Level 2 will need to seek out a QSA who can assist them in verifying their findings.
This is the easiest step of all—the only real challenge is selecting a QSA to be your partner.
While it may be appealing to seek out a single-service company such as a PCI attestation of compliance service provider, most organizations benefit from partnering with a holistic PCI compliance partner. RSI Security is one of the few providers certified as both an ASV and a QSA. We’ll guide your team through all elements of implementation and certification.
Achieve PCI DSS Compliance with Professional Help
For any organization that processes or comes into contact with CHD, getting a PCI attestation of compliance certificate or equivalent documentation of PCI compliance is essential.
RSI Security is committed to helping your team rethink your regulatory compliance programs, along with your entire cyberdefense architecture. To get started streamlining and optimizing your cybersecurity, contact RSI Security today!