Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? If...
not, to whom does the ROC get submitted? Also, if we do not utilize a QSA, what is the easiest procedure to complete the ROC and whom should we submit it to? Is there a standard ROC template? We are currently a Level 3 merchant.
Engaging a QSA and undergoing a formal PCI DSS assessment tends to be more applicable to Level 1 and 2 merchants. The requirements for Level 3 merchants are a bit different, in that a company is only required to self-certify its environment and conduct a quarterly scan.
Though I can't say that doing more rather than less security is a bad thing; if a company does undergo an assessment, the QSA needs to prepare a report on compliance (ROC), which is essentially an independent validation that the merchant is in compliance with PCI DSS. It is based upon the PCI Security Standards Council's standard template, which is available on its website. The merchant submits the ROC to the various payment processors. The QSA does not submit it to either the PCI Security Standards Council or the payment card brands: That's the responsibility of the merchant. In fact, not only should the ROC should be submitted, but also proof that quarterly scans are being conducted.
If the company chooses to self-assess, then it should fill out the "Self-Assessment Questionnaire" and submit that along with quarterly scan results to the merchant's payment processor. To make sure the merchant is in full compliance, it wouldn't hurt to build the entire ROC, though it's likely overkill for a Level 3 merchant.
- Learn how to subvert the security standards dilemma between network segmentation and PCI compliance.
- When filling out the PCI DSS questionnaire, is it important to provide documentation? Read more.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading