Answer

Submitting a report on compliance from an old PCI assessment provider

We are a Level 3 merchant that has had a third-party company perform our PCI assessments for a few years. We are implementing a new point-of-sale terminal system that requires us to use a different credit card transaction processor. Since the terminals will likely not generate that many transactions in the coming year, the new processor has now identified us as a Level 4 merchant. When it comes time to submit our report on compliance  to the new processor, can we submit it via our PCI assessment provider, since they usually do our ROC?  Or, is it unlikely that the new processor will accept this ROC? 

    Requires Free Membership to View

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

There are several issues embedded in your question, so let's tackle them one at a time.

First, let's talk about merchant levels. As you are probably aware, Visa and MasterCard divide  merchants into four levels based upon transaction volume. Level 1 merchants are the largest merchants, processing more than six million transactions annually. At the other end of the spectrum, Level 4 merchants handle fewer than one million total transactions annually, with fewer than 20,000 of those through e-commerce channels. The card processors either reserve the right to change a company's level if it suffers a breach or just decide that it should be subject to more stringent requirements.

When it comes to what must be done to comply with Payment Card Industry Data Security Standards (PCI DSS), the requirements do not vary based on merchant level. Everyone must comply with all requirements. The difference is how you validate compliance. Level 1 merchants are required to hire an independent qualified security assessor (QSA) to complete their assessments.  When QSAs finish their assessment, they prepare a report on compliance (ROC). All other merchants are only required to perform a self-assessment, which is documented on the self-assessment questionnaire (SAQ).

That said, merchants of all levels are welcome to hire a QSA to prepare a report on compliance. You mentioned that you are a Level 3 merchant, so it sounds like you fall into that camp. That's expensive, but perfectly acceptable, and I can't imagine that a merchant bank would not accept an independent ROC over a self-completed SAQ.

Finally, I have bad news for you. In your specific case, I don't think that the new merchant bank will accept your old ROC. Why? Because you mentioned that you're implementing a new system. I think it's likely that they will ask you to reevaluate your environment based on the new system and then provide either an SAQ or a ROC based on that new evaluation.

This was first published in October 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: