 |
|


|
| > |
QUESTION POSED ON: 21 October 2008
Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? If not, to whom does the ROC get submitted? Also, if we do not utilize a QSA, what is the easiest procedure to complete the ROC and whom should we submit it to? Is there a standard ROC template? We are currently a Level 3 merchant.
|
|
|
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
');
// -->

Engaging a QSA and undergoing a formal PCI DSS assessment tends to be more applicable to Level 1 and 2 merchants. The requirements for Level 3 merchants are a bit different, in that a company is only required to self-certify its environment and conduct a quarterly scan.
Though I can't say that doing more rather than less security is a bad thing; if a company does undergo an assessment, the QSA needs to prepare a report on compliance (ROC), which is essentially an independent validation that the merchant is in compliance with PCI DSS. It is based upon the PCI Security Standards Council's standard template, which is available on its website. The merchant submits the ROC to the various payment processors. The QSA does not submit it to either the PCI Security Standards Council or the payment card brands: That's the responsibility of the merchant. In fact, not only should the ROC should be submitted, but also proof that quarterly scans are being conducted.
If the company chooses to self-assess, then it should fill out the "Self-Assessment Questionnaire" and submit that along with quarterly scan results to the merchant's payment processor. To make sure the merchant is in full compliance, it wouldn't hurt to build the entire ROC, though it's likely overkill for a Level 3 merchant.
More information:
|
|
|

|
|
 |

 |
 |
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
 |
 |
 |
|
 |
 |
 |
|
 |
|
 |