Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
An Introductory Guide for Company Executives New to the World of PCI Compliance
You’ve just received notification that your organization needs to become PCI compliant. Fantastic – but what does that actually entail? After some initial research on the internet to figure out what PCI compliance requires, you find yourself even more confused about everything than when you started. Fear not, for there are five key steps you can take immediately that will help you determine your path forward in achieving PCI compliance:
1.) PCI Compliance Guide Step 1: Determine if you are a Merchant or a Service Provider (or both)
PCI’s formal definition of a merchant is “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.” If you’re dealing directly with your own customers who are paying via credit card, you’re a merchant.
A Service Provider is defined as “any entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” If you’re dealing with another organization’s credit card data, you’re a service provider.
To make matters a bit more complicated, some organizations, based on the nature of their services, may be considered both a Merchant and a Service Provider.
2.) PCI Compliance Guide Step 2: Determine your Merchant or Service Provider Compliance Level
A Merchant or Service Provider compliance level determines the level of compliance validation that an organization must achieve. Compliance levels are determined by individual card brands and are determined based on the volume (not dollar amount) of credit card transactions handled by an organization.
If you are a Merchant, there are levels 1 through 4, with level 1 being considered the most stringent requiring a full Report on Compliance (ROC). Remaining levels require less stringent validation efforts.
If you are considered a Service Provider, there are 2 levels, with level 1 Service Providers being required to complete a full Report on Compliance, and level 2 Service Providers able to complete a Self-Assessment Questionnaire (SAQ) with or without the assistance of a Qualified Security Assessor (QSA).
3.) PCI Compliance Guide Step 3: Determine the Correct Self-Assessment Questionnaire (if Applicable):
A Level 1 Merchant or Service Provider must undergo a full Report on Compliance (ROC). If you’re deemed to be less than Level 1, you likely can complete a Self-Assessment Questionnaire (SAQ) to validate your compliance.
The specific type of SAQ to be completed depends on two components – whether your organization is a Merchant or Service Provider, and the specific nature of how your organization interacts with cardholder data. If you’re considered a Service Provider, the answer is easy – all Service Providers complete an SAQ-D. If your organization is considered a merchant, there are eight different SAQs – each designed for specific scenarios in which a credit card payment is received by your organization.
Given the precise nature of payment flow associated with each SAQ, it can be difficult to determining the correct SAQ for your circumstances. If in doubt, it is highly recommended to consult with a QSA and ensure you’ve selected the right SAQ to validate compliance.
If, like many organizations, you have multiple unique payment streams (e.g. an online store and an in-person, card-present retail location), you may consider completing an SAQ-D and completing the sections of the questionnaire that are applicable to your company’s credit card payment processes.
4.) PCI Compliance Guide Step 4: Determine the Extent, if any, you’ll Need to Utilize a Qualified Security Assessor (QSA):
QSAs are security assessors that have been formally certified by the PCI Security Council as qualified to validate an organization’s PCI compliance. QSAs must also be a member of a Qualified Security Assessor Company (QSAC) to provide attestation services.
If your organization is undergoing a full Report on Compliance (ROC), the ROC and associated Attestation of Compliance (AOC) will need to be signed by a representative of your organization as well as a QSA who has reviewed your policies, procedures and documentation and confirmed you are compliant with PCI DSS.
Self-Assessment Questionnaires (SAQs), however, provide more flexibility to an organization, and are not inherently required to be signed by a QSA.
As the name implies, you are self-assessing your organization in an SAQ. In these cases, you have discretion as to the degree in which you would like to involve a QSA.
It is often advantageous to solicit the expertise of a QSA in interpreting the questions and appropriate responses in an SAQ, particularly on your first foray into PCI compliance. Conversely, you may have the in-house expertise available to complete the SAQ – in these cases you can complete and sign the SAQ without the assistance of a QSA. In these instances, we recommend open dialogue with your clients and business partners as to their need for the SAQ to be signed by a QSA or not.
5.) PCI Compliance Guide Step 5: Determine if Segmentation will be Used in your PCI DSS Assessment
Network segmentation, or the process for dividing network architecture into smaller, specific segments that are locked down and accessible only by authorized personnel and processes.
From a PCI compliance perspective, network segmentation is an approach that can dramatically reduce the size and scope of a PCI assessment. Segmentation allows an organization to confine the scope of the assessment to the subnets established to secure cardholder data.
The scope of your assessment could potentially encompass your entire network, as any system component that stores, transmits or processes cardholder data, or could potentially impact the security of the system as a whole is considered in scope in the absence of network segmentation.
PCI Compliance Support Through a Very Technical and Nuanced Process
With so many variables impacting the exact nature of compliance validation requirements, simply figuring out what your organization will need to do can be a daunting, very complicated process. By making the five determinations recommended above, you’ll place your organization in a strong starting position to be able to achieve its compliance goals.
A company or organization venturing into the world of PCI compliance should be exploring options, costs and how to leverage the upsides of compliance. It’s a long and complicated path that can be better transitioned with the PCI compliance support of the Qualified Security Assessors on the Freed Maxick Team. We’re happy to talk with you about your situation at no fee or obligation.
Reach out to us via our contact form or call me at 716.332.2680 to schedule a discussion of your situation and needs.