PCI Security Standards Council addresses 2 types of entities that deal with cardholder data, Merchant and service provider in the Data security standard. There are certain requirements in the PCI DSS which has to be met only by Service provider.
Further, The council has created Self attestation questionnaires (SAQs) for all those merchants and service providers whose risk profile is not significant and can go for these SAQs as requested by acquiring banks or payment brands.
Currently there are 8 PCI FAQs which are created for various types of mechants.
For detailed explanation on FAQs, read our blog on “ What is the Right SAQ for You?”
A Qualified Security Assessor (QSA) will perform an audit of your operating environment and will evaluate It against the 12 requirements and 300 sub requirements mentioned in the PCI DSS standard.
On successful evaluation, the QSA will award your organisation a PCI- DSS Compliance Certificate. The Certificate will be your badge of honor recognizing the efforts taken towards prioritizing security.
Like we said, becoming PCI compliant requires meeting the 12 requirements and 300 sub requirements mentioned in the PCI DSS standard.
Reach out to our QSA team to perform a quick reconnaissance of your environment and to charter out a compliance plan.
A Qualified Security Assessor is one who has been qualified by the PCI Security Standards Council (PCI SSC) to conduct PCI assessments. A QSA needs to meet a stringent set of requirements outlined by the PCI SSC in addition to taking up regular examinations.
Therefore, it’s very critical that you invest your time with a QSA who are recognized by the PCI SSC. Barring which, the certificate will not be recognized by the PCI SSC as well as the industry. The list of certified QSA companies can be found here pcisecuritystandards.org.
No. It’s a yearly affair. The PCI certification is an ongoing compliance process. You will need to engage with a QSA to renew your certification on an annual basis.
Having said that, getting the environment set up correctly and appropriate delegation of tasks as per roles and responsibilities in the first round is the key to setting the stage for easier and effective ongoing compliance.
Not being PCI Compliant and accepting payments from payment cards of American Express, Discover, JCB, MasterCard or Visa is a VIOLATION and will incur fines.
Being PCI non-compliant + being breached would mean that you are looking at penalties ranging between $5,000 and $500,000.
Besides the fines, you are also looking at
- Cost of data breach + customer damages
- Not being able to accept card payments in the future
- Losing your merchant account status
- Getting featured in the Terminated Merchant File (TMF) managed by Visa and MasterCard
Loss of reputation and customer trust goes without saying.
To quote from the PCI DSS Standard,
“a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”
And a Service Provider is
“Business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.”
Now can a Merchant also be a Service Provider? Absolutely, if the merchant is providing services to other entities.
A ROC is a Report On Compliance which needs to be filled out by a PCI QSA on completion of the audit.
An AOC is an Attestation of Compliance which is a form used by merchants and service providers to attest the results of the PCI DSS audit.
Out of these AOC needs to be submitted to Acquiring banks, Payment Brands , Regulatory bodies or to customers to demonstrate PCI DSS Compliance.
Yes, infact scans can only be performed by PCI SSC Approved Scanning Vendor (ASV). PCI DSS Standard mandates for Quarterly External Scanning of all the publically accessible devices/servers for Level 1, 2 and 3 merchants and all sevice providers.
Yes, Crossbow Labs also provides PCI ASV scans and we have a solid Engineering team that can support you with meeting the PCI DSS requirements.