We are a Level 3 merchant that has had a third-party company perform our PCI assessments for a few years. We are...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
implementing a new point-of-sale terminal system that requires us to use a different credit card transaction processor. Since the terminals will likely not generate that many transactions in the coming year, the new processor has now identified us as a Level 4 merchant. When it comes time to submit our report on compliance to the new processor, can we submit it via our PCI assessment provider, since they usually do our ROC? Or, is it unlikely that the new processor will accept this ROC?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
There are several issues embedded in your question, so let's tackle them one at a time.
First, let's talk about merchant levels. As you are probably aware, Visa and MasterCard divide merchants into four levels based upon transaction volume. Level 1 merchants are the largest merchants, processing more than six million transactions annually. At the other end of the spectrum, Level 4 merchants handle fewer than one million total transactions annually, with fewer than 20,000 of those through e-commerce channels. The card processors either reserve the right to change a company's level if it suffers a breach or just decide that it should be subject to more stringent requirements.
When it comes to what must be done to comply with Payment Card Industry Data Security Standards (PCI DSS), the requirements do not vary based on merchant level. Everyone must comply with all requirements. The difference is how you validate compliance. Level 1 merchants are required to hire an independent qualified security assessor (QSA) to complete their assessments. When QSAs finish their assessment, they prepare a report on compliance (ROC). All other merchants are only required to perform a self-assessment, which is documented on the self-assessment questionnaire (SAQ).
That said, merchants of all levels are welcome to hire a QSA to prepare a report on compliance. You mentioned that you are a Level 3 merchant, so it sounds like you fall into that camp. That's expensive, but perfectly acceptable, and I can't imagine that a merchant bank would not accept an independent ROC over a self-completed SAQ.
Finally, I have bad news for you. In your specific case, I don't think that the new merchant bank will accept your old ROC. Why? Because you mentioned that you're implementing a new system. I think it's likely that they will ask you to reevaluate your environment based on the new system and then provide either an SAQ or a ROC based on that new evaluation.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.