We are a Level 3 merchant that has had a third-party company perform our PCI assessments for a few years. We are implementing a new point-of-sale terminal system that requires us to use a different credit card transaction processor. Since the terminals will likely not generate that many transactions in the coming year, the new processor has now identified us as a Level 4 merchant. When it comes time to submit our report on compliance to the new processor, can we submit it via our PCI assessment provider, since they usually do our ROC? Or, is it unlikely that the new processor will accept this ROC?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
There are several issues embedded in your question, so let's tackle them one at a time.
First, let's talk about merchant levels. As you are probably aware, Visa and MasterCard divide merchants into four levels based upon transaction volume. Level 1 merchants are the largest merchants, processing more than six million transactions annually. At the other end of the spectrum, Level 4 merchants handle fewer than one million total transactions annually, with fewer than 20,000 of those through e-commerce channels. The card processors either reserve the right to change a company's level if it suffers a breach or just decide that it should be subject to more stringent requirements.
When it comes to what must be done to comply with Payment Card Industry Data Security Standards (PCI DSS), the requirements do not vary based on merchant level. Everyone must comply with all requirements. The difference is how you validate compliance. Level 1 merchants are required to hire an independent qualified security assessor (QSA) to complete their assessments. When QSAs finish their assessment, they prepare a report on compliance (ROC). All other merchants are only required to perform a self-assessment, which is documented on the self-assessment questionnaire (SAQ).
That said, merchants of all levels are welcome to hire a QSA to prepare a report on compliance. You mentioned that you are a Level 3 merchant, so it sounds like you fall into that camp. That's expensive, but perfectly acceptable, and I can't imagine that a merchant bank would not accept an independent ROC over a self-completed SAQ.
Finally, I have bad news for you. In your specific case, I don't think that the new merchant bank will accept your old ROC. Why? Because you mentioned that you're implementing a new system. I think it's likely that they will ask you to reevaluate your environment based on the new system and then provide either an SAQ or a ROC based on that new evaluation.
This was first published in October 2012