Q

Submitting a report on compliance from an old PCI assessment provider

Can companies submit a report on compliance to a new credit card transaction processor via a PCI assessment provider? Mike Chapple discusses.

We are a Level 3 merchant that has had a third-party company perform our PCI assessments for a few years. We are

implementing a new point-of-sale terminal system that requires us to use a different credit card transaction processor. Since the terminals will likely not generate that many transactions in the coming year, the new processor has now identified us as a Level 4 merchant. When it comes time to submit our report on compliance  to the new processor, can we submit it via our PCI assessment provider, since they usually do our ROC?  Or, is it unlikely that the new processor will accept this ROC? 

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

There are several issues embedded in your question, so let's tackle them one at a time.

First, let's talk about merchant levels. As you are probably aware, Visa and MasterCard divide  merchants into four levels based upon transaction volume. Level 1 merchants are the largest merchants, processing more than six million transactions annually. At the other end of the spectrum, Level 4 merchants handle fewer than one million total transactions annually, with fewer than 20,000 of those through e-commerce channels. The card processors either reserve the right to change a company's level if it suffers a breach or just decide that it should be subject to more stringent requirements.

When it comes to what must be done to comply with Payment Card Industry Data Security Standards (PCI DSS), the requirements do not vary based on merchant level. Everyone must comply with all requirements. The difference is how you validate compliance. Level 1 merchants are required to hire an independent qualified security assessor (QSA) to complete their assessments.  When QSAs finish their assessment, they prepare a report on compliance (ROC). All other merchants are only required to perform a self-assessment, which is documented on the self-assessment questionnaire (SAQ).

That said, merchants of all levels are welcome to hire a QSA to prepare a report on compliance. You mentioned that you are a Level 3 merchant, so it sounds like you fall into that camp. That's expensive, but perfectly acceptable, and I can't imagine that a merchant bank would not accept an independent ROC over a self-completed SAQ.

Finally, I have bad news for you. In your specific case, I don't think that the new merchant bank will accept your old ROC. Why? Because you mentioned that you're implementing a new system. I think it's likely that they will ask you to reevaluate your environment based on the new system and then provide either an SAQ or a ROC based on that new evaluation.

This was first published in October 2012

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close