asv

PCI DSS Requirements and PCI DSS Merchant Levels | VISA

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org

SAS 70 Audits and PCI DSS Compliance |What you NEED to Know

As an auditor, I am constantly approached by my clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment for organizations.

What I can tell you though is that there are some common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. Both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.

To learn more about what SAS70 is, visit the official SAS70 Resource Guide

To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.