ROC

PCI DSS Compliance | Watch out for the “Road Blocks”

PCI DSS Compliance, especially on-site reviews conducted by a Qualified Security Assessor (QSA), can take an immense amount of time in completing and receiving one’s Report on Compliance (ROC).
What most merchants and service providers fail to recognize is that there are numerous issues that could potentially cause “roadblocks” on the way to achieving PCI DSS compliance.

As a QSA, I’ve listed some examples of common items that require remediation prior to achieving compliance. These items are considered major “roadblocks” because of either the time, money and investment needed to incorporate them into the cardholder data environment:

1. Two-factor authentication
2. Web application firewall and/or software code reviews.
3. Intrusion Detection Systems (IDS)
4. Documented Policies and Procedures specifically related to PCI DSS compliance.

These four items are typically what catch merchants and service organizations off-guard. Be prepared, be proactive; find a quality, competent QSA to help with all your PCI DSS compliance needs.

PCI DSS Requirements and PCI DSS Merchant Levels | VISA

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org

SAS 70 Audits and PCI DSS | Yes, There is a Big Difference

SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.

Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.

The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.

The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.

Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.

Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.

Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.