1. What does PCI DSS mean?
The Payment Card Industry Data Security Standard (PCI DSS) is a security framework that is governed by the Payment Card Industry Security Standards Council (PCI SSC), an independent industry standards body providing oversight of the development and management of the PCI DSS on a global basis. PCI SSC founding payment brands include the five major payment brands: American Express, Discover, JCB, MasterCard and Visa.
2. Who is subject to the PCI DSS?
The PCI DSS is a regulatory requirement for all entities which store, process or transmit cardholder data. There are two types of subject entities, merchants and service providers.
3. How do you demonstrate PCI DSS compliance?
There are two ways to demonstrate PCI compliance: 1) through completion of a Self-Assessment-Questionnaire (SAQ). (Note, there are various SAQ types, depending on how the entity stores, processes, and/or transmits cardholder data), or 2) obtaining a Report on Compliance (ROC).
The SAQ is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a ROC to their Acquirer or Payment Brand.
Whether an organization must fill out a SAQ or engage a QSA firm to perform an on-site assessment and issue a ROC is based upon transaction volume and criteria defined by individual payment brands.
For high-growth technology companies, the ROC is the most common way in which a service provider demonstrates their PCI DSS compliance to their customers and prospects. The ROC is a point-in-time pass/fail assessment that must be performed by a qualified security assessor (QSA) firm or internal resource, depending on the level of compliance required. For Level 1 compliance, the ROC must be completed as an independent assessment by a QSA firm.
Note – PCI SSC sets the PCI Security Standards, but each payment card brand has its own program for compliance, validation levels and enforcement. For more information about compliance programs, contact the payment brands or your acquiring bank.
4. How often is PCI DSS compliance demonstrated?
The SAQ and ROC are both performed annually.
5. What’s the difference between a merchant and a service provider?
Merchants are those entities which store, process or transmit cardholder data that reconciles into their merchant ID, with their merchant bank. PCI SSC defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”
Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Service Providers store, process or transmit cardholder data on behalf of merchants or another entity (e.g. other service providers). As stated above, in some cases, a service provider is also a merchant. Note that per the PCI SSC, a service provider also includes “companies that provide services that control or could impact the security of cardholder data.” Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.
6. I need to be PCI DSS Level 1 compliant – Who performs my PCI DSS assessment?
A Qualified Security Assessor (QSA) firm, such as risk3sixty, is a data security firm that is qualified by the PCI Security Standards Council to perform on-site PCI DSS assessments. For Level 1 compliance, companies must engage a QSA firm to complete their PCI DSS assessment and issues the ROC as well as an Attestation of Compliance (AOC).
QSA responsibilities include the following:
- Verify that all technical information given by the entity.
- Use independent judgment to confirm the standard has been met.
- Provide support and guidance during the compliance process.
- Be onsite during the assessment, as required.
- Adhere to the PCI DSS Security Assessment Procedures.
- Validate the scope of the assessment
- Evaluate any compensating controls
- Produce the final report
7. How do you complete a PCI DSS assessment?
1) Project planning and kick-off
2) Documentation collection
3) Interviews with leadership and control owners
4) Onsite fieldwork
5) Assessment documentation and reporting
6) Iterative review and final publishing of the ROC
8. How long does it take to be PCI DSS compliant?
Because a PCI DSS assessment is a point-in-time assessment, organizations are generally encouraged to first perform a gap assessment to identify gaps in control compliance with the PCI DSS. Once gaps have been identified, the organization must then implement the necessary security controls prior to undergoing the PCI DSS assessment. As a result, and with that remediation period having a wide variance, we generally advise organizations to plan for a six (6) to nine (9) month compliance journey to have a ROC in-hand.
9. How much does a ROC cost?
Depending on the scope and complexity of an entity’s environment, in general, an independent PCI DSS assessment that results in the issuance of a ROC and AOC may cost between $35,000 – $55,000.