
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Using a QSA to write up a PCI DSS report on compliance (ROC)

Ask The Security Expert: Questions & Answers

EMAIL THIS

Using a QSA to write up a PCI DSS report on compliance (ROC)

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 21 October 2008
Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? If not, to whom does the ROC get submitted? Also, if we do not utilize a QSA, what is the easiest procedure to complete the ROC and whom should we submit it to? Is there a standard ROC template? We are currently a Level 3 merchant.

Engaging a QSA and undergoing a formal PCI DSS assessment tends to be more applicable to Level 1 and 2 merchants. The requirements for Level 3 merchants are a bit different, in that a company is only required to self-certify its environment and conduct a quarterly scan.

Though I can't say that doing more rather than less security is a bad thing; if a company does undergo an assessment, the QSA needs to prepare a report on compliance (ROC), which is essentially an independent validation that the merchant is in compliance with PCI DSS. It is based upon the PCI Security Standards Council's standard template, which is available on its website. The merchant submits the ROC to the various payment processors. The QSA does not submit it to either the PCI Security Standards Council or the payment card brands: That's the responsibility of the merchant. In fact, not only should the ROC should be submitted, but also proof that quarterly scans are being conducted.

If the company chooses to self-assess, then it should fill out the "Self-Assessment Questionnaire" and submit that along with quarterly scan results to the merchant's payment processor. To make sure the merchant is in full compliance, it wouldn't hurt to build the entire ROC, though it's likely overkill for a Level 3 merchant.

More information:

Learn how to subvert the security standards dilemma between network segmentation and PCI compliance.
When filling out the PCI DSS questionnaire, is it important to provide documentation? Read more.

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, IT Security Audits, PCI Data Security Standard, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center
	What does the future of the endpoint encryption market look like?

IT Security Audits

Standards compliance does not equal sound information security risk management

Tony Spinelli: Prioritize Information Security over Compliance

How to prepare for a FERPA audit

MasterCard increases PCI compliance requirements for some merchants

How to select a set of network security audit guidelines

How to write a risk methodology that blends business, security needs

PCI compliance requirement 11: Testing

Using IAM tools to improve compliance

Forensic accounting success depends on information security support

HIPAA compliance: New regulations change the game

PCI Data Security Standard

Chip and PIN adoption

Chip and PIN adoption serves lesson for U.S. payment industry

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Wireless network guidelines for PCI DSS compliance

Visa probes tokens, encryption for PCI card data protection

Feds push cybersecurity jobs, PCI DSS changes ahead.

Voltage, RSA spar over tokenization, data protection

Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

PCI DSS (Payment Card Industry Data Security Standard ) (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy