A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information. During the assessment, a PCI Qualified Security Assessor (QSA) determines whether the merchant has met the PCI DSS 12 requirements, either directly or through a control that provides a level of defense that is similar to the PCI DSS requirement. Shared hosting providers must meet an additional requirement of protecting the cardholder data environment, according to Requirement A.1.
All five major credit card companies require compliance with PCI DSS. The standards are enforced by Visa, MasterCard, American Express, JCB International and Discover, and each of the five credit card companies has its own reporting and validation requirements, as well as penalties for noncompliance. Merchants must demonstrate compliance annually by submitting a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Validation requirements vary, depending on what brand of credit card is used and how many transactions with the brand the merchant processes annually.
Companies that process over 6 million Visa transactions a year -- and are, therefore, Level 1 merchants -- must undergo a PCI assessment performed by a QSA. The QSA completes an ROC that verifies the business' PCI DSS compliance. The ROC is sent to the business' acquiring bank, which then sends it to the appropriate credit card company for verification.
PCI assessment requirements
The growing threat posed by vulnerabilities in the cryptographic SSL protocol, which is used to secure data sent over an untrusted network, prompted the Council to release an unscheduled version of the standard in April 2015 -- PCI DSS 3.1. It requires merchants to move away from vulnerable data encryption protocols, as they cannot be used as a security control for the protection of payment data. This has a direct effect on the following PCI DSS requirements:
- Requirement 2.2.3. Implement additional security features for any required services, protocols or daemons that are considered to be insecure.
- Requirement 2.3. Encrypt all nonconsole administrative access using strong cryptography.
- Requirement 4.1. Use strong cryptography.
The Council not only requires merchants to phase out the use of SSL and early TLS, but to provide to their assessor a formal risk mitigation and migration plan detailing how they plan to make the transition. Organizations that can't completely migrate away from SSL and early TLS have to follow the PCI DSS Addressing Vulnerabilities with Compensating Controls process to verify the affected system is not susceptible to SSL vulnerabilities.