I know a PCI Internal Security Assessor (ISA) can sign for merchant reports on compliance (ROCs), but can an ISA...
validate compliance of a level 1 merchant that is also a service provider? If not, how should such cases be handled?
There are differences between Internal Security Assessors and Qualified Security Assessors (QSA), as well as the assessments they're able to validate. With these assessments, there are also particular levels of providers and merchants that require different standards of validation.
Internal Security Assessors are normally employees of the organization being assessed. This closeness to the business can create a better understanding of the processes of the system owners, but when level 1 service providers are involved, there needs to be a third-party perspective.
A service provider is defined as an entity that processes, stores or transmits cardholder data on behalf of another business or organization. Like merchants, there are multiple levels of service providers, and a level 1 merchant requires a Qualified Security Assessor to complete the reports on compliance.
Level 1 service providers are organizations that perform more than 300,000 credit card transactions on an annual basis. In contrast, a level 2 service provider allows for an annual self-assessment questionnaire and would suffice with an Internal Security Assessor.
Mastercard has said that 300,000 transactions are required to successfully complete on-site assessments and quarterly network scans. The ROC for the on-site assessment must be completed and should be submitted by the Qualified Security Assessor to Mastercard. When looking for a Qualified Security Assessor, speak with organizations that have experience with service providers at a level 1 status.
By using a Qualified Security Assessor, organizations get an on-site assessment by an assessor that has perspective and experience outside the current organization. This isn't anything against the Internal Security Assessor, but having additional viewpoints of the PCI standards from other assessments enables Qualified Security Assessors to potentially bring more experience to an assessment.
It also brings in third-party involvement to validate that organizations are meeting standards without relying on internal resources. This doesn't mean that Qualified Security Assessors are more skilled than Internal Security Assessors, but that they often bring a level of experience with the PCI standard that an Internal Security Assessor might not hold.
There are cons to having a Qualified Security Assessor, too. It's possible that they might lean more toward passing an audit, without being concerned for the true security of the company. This is speculation on my part, but it's the mindset I'm assuming was behind only Qualified Security Assessors being able to complete an ROC for level 1 service providers.
With level 1 providers being used for large amounts of customer transactions, and sometimes dealing with particular technology, it was the council's decision to have a Qualified Security Assessor perform the assessments for level 1 service providers.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Take this quiz to test your PCI DSS vocabulary
Learn about PCI DSS 3.2 and what it means for enterprises
Find out how vulnerability scanning tools can help with PCI DSS compliance
Dig Deeper on PCI Data Security Standard
Related Q&A from Matthew Pascucci
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading