Organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) must meet a laundry list of PCI validation requirements on a regular basis to certify its compliance to their merchant banks. These requirements include the need for periodic reports on compliance (ROCs), vulnerability scans, penetration testing and Web application testing. In this tip, we examine these requirements to provide a detailed outline of what is needed to remain PCI DSS-compliant.
It's a good idea to run regular compliance scans for the company's own purposes to validate that it will pass before running the official scan that will be reported to its merchant bank.
Reporting compliance: SAQs and ROCs
Perhaps the most significant PCI requirement is that all but the smallest merchants (those who process fewer than 20,000 e-commerce transactions and less than 1 million total transactions per year) must submit annual compliance validation reports to their merchant bank. The scope of these reports and the qualifications of the individuals performing the assessment vary depending upon where an organization falls within the PCI DSS merchant levels.
The largest merchants (those with over 6 million transactions per year) are classified as Level 1 merchants and must have an independent audit performed on an annual basis. This audit may be performed by either a Qualified Security Assessor (QSA) or the firm's internal audit group if the audit is signed by an officer of the company. In those cases, the QSA or internal auditors complete an ROC for submission to the merchant bank. Level 2 and 3 merchants may conduct the assessment using their own IT and business staff and document the results on one of the self-assessment questionnaires (SAQ).
The scope of the audit depends upon the characteristics of the merchant's cardholder data environment -- essentially, the more complex the environment, the greater the scope of the audit. The possibilities are as follows:
- SAQ A, the simplest form, is reserved for those merchants that have outsourced all card processing responsibilities.
- SAQ B contains the requirements for imprint-only or standalone dial-out terminal users that do not store any cardholder data electronically.
- SAQ C is used in cases where merchants have payment application systems that are connected to the Internet but do not store cardholder data. There is a separate version of SAQ C for those merchants using virtual terminals.
- SAQ D, the most complex form, is required for all merchants that are not eligible to fill out one of the shorter SAQs. This includes merchants with systems that store cardholder information.
Of course, it's in every merchant's best interest to move as far down the SAQ chain as possible. Don't fill out the lengthy SAQ D if your organization is eligible to complete the brief SAQ A!
All merchants with externally facing (public) IP addresses must also complete quarterly external network vulnerability scans and provide those results to their merchant bank. The PCI DSS standard requires organizations to perform the scans through any of their Approved Scanning Vendors (ASVs), but the organization's merchant bank may require that it use a specific ASV. Many merchant banks require the use of a single ASV partner who, in turn, provides the bank with direct access to consolidated reports, easing the administrative burden on their end.
From the editors: More on PCI compliance
Can merchants submit a ROC from an old PCI assessment provider?
How to choose the best PCI DSS Qualified Security Assessor
Of course, simply performing the scan is not sufficient -- companies must actually pass the scan to be able to assert PCI DSS compliance. For this reason, it's a good idea to run regular compliance scans for the company's own purposes to validate that it will pass before running the official scan that will be reported to its merchant bank.
Two additional requirements apply to organizations with infrastructures that process cardholder data: penetration testing and Web application assessment. Organizations must perform annual internal and external penetration testing of its cardholder data environment, including both network and application layer tests. Similarly, organizations with Web applications must perform Web application assessments on an annual basis and after any significant changes. Both of these tests must be performed either by a qualified security consultant or by qualified employees of the merchant, provided that the employees performing the tests are organizationally independent from those maintaining the systems.
As companies build their PCI DSS compliance program, it is increasingly important to keep all of these requirements in mind. It's a good idea to plan an annual calendar of assessments and tests so that the company doesn't miss a deadline or wind up rushing to complete all of its PCI validation requirements at the end of the year. Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager at the University of Notre Dame. He previously served as an information security researcher at the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for the Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.