Can a PCI Level 2 merchant perform a PCI self-assessment?

I participated in your session on PCI DSS during the Compliance and Security Virtual Seminar on March 7th and have a follow-up question for you.  I am the IT audit manager at a bank that is classified as a Level

    Requires Free Membership to View

2 merchant and was wondering if internal audit is able to perform the periodic self-assessments required by PCI, since we don’t have an ISA on staff. 

Yes, absolutely. In fact, there are no requirements about who in an organization can complete the PCI self-assessment questionnaire (SAQ). This annual assessment -- mandated of all Level 2, 3 and 4 PCI DSS merchants -- requires only that the organization evaluate the effectiveness of its security controls and certify to its merchant bank that its operations fall within PCI DSS requirements.

Ask the Expert!

Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

As you may know, the PCI self-assessment program does not apply to Level 1 merchants, who must have a qualified security assessor (QSA) conduct an annual independent assessment of their security controls and provide that assessment to the merchant bank.

In addition to completing the annual assessment, PCI DSS also requires a few other assessments that can be performed by different groups:

  • Quarterly external vulnerability scans must be performed by an approved scanning vendor (ASV) and may not be conducted by internal resources.
  • Quarterly internal vulnerability scans may be performed by any qualified party (internal or external), provided that there is organizational independence between the tester and those responsible for the controls. Internal audit would be an excellent candidate for this role. These scans must also take place after any significant change to the payment environment.
  • Annual internal and external penetration tests may be performed by any qualified party passing the same independence test.

So, the bottom line is your internal audit group may indeed play a significant role in your PCI DSS compliance program.

This was first published in April 2012

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.