We are a Level 3 merchant that has had a third-party company perform our PCI assessments for a few years. We are...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
implementing a new point-of-sale terminal system that requires us to use a different credit card transaction processor. Since the terminals will likely not generate that many transactions in the coming year, the new processor has now identified us as a Level 4 merchant. When it comes time to submit our report on compliance to the new processor, can we submit it via our PCI assessment provider, since they usually do our ROC? Or, is it unlikely that the new processor will accept this ROC?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
There are several issues embedded in your question, so let's tackle them one at a time.
First, let's talk about merchant levels. As you are probably aware, Visa and MasterCard divide merchants into four levels based upon transaction volume. Level 1 merchants are the largest merchants, processing more than six million transactions annually. At the other end of the spectrum, Level 4 merchants handle fewer than one million total transactions annually, with fewer than 20,000 of those through e-commerce channels. The card processors either reserve the right to change a company's level if it suffers a breach or just decide that it should be subject to more stringent requirements.
When it comes to what must be done to comply with Payment Card Industry Data Security Standards (PCI DSS), the requirements do not vary based on merchant level. Everyone must comply with all requirements. The difference is how you validate compliance. Level 1 merchants are required to hire an independent qualified security assessor (QSA) to complete their assessments. When QSAs finish their assessment, they prepare a report on compliance (ROC). All other merchants are only required to perform a self-assessment, which is documented on the self-assessment questionnaire (SAQ).
That said, merchants of all levels are welcome to hire a QSA to prepare a report on compliance. You mentioned that you are a Level 3 merchant, so it sounds like you fall into that camp. That's expensive, but perfectly acceptable, and I can't imagine that a merchant bank would not accept an independent ROC over a self-completed SAQ.
Finally, I have bad news for you. In your specific case, I don't think that the new merchant bank will accept your old ROC. Why? Because you mentioned that you're implementing a new system. I think it's likely that they will ask you to reevaluate your environment based on the new system and then provide either an SAQ or a ROC based on that new evaluation.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach ...continue reading
The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have ...continue reading
Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.