A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.

Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.

Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.

Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.

VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments

American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.

But here’s what else you need to know about payment card industry compliance and how it could affect you.

Payment Application Data Security Standard (PA-DSS)
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.

Pin Entry Devices (PED)
To gain approval by PCI Security Standards Council, PIN entry devices must comply with the requirements and guidelines specified by a number of documents listed on the PCI SSC website.

In summary, these are two additional compliance initiatives outside of the traditional PCI DSS assessments that many people are not familiar with. I’ll be covering these in a much more in-depth manner in subsequent blogs.