In the last blog post, I discussed the first 2 steps of the 4 step process that small businesses need to follow to comply with the Payment Card Industry Data Security Standards (“PCI DSS”):
1. PCI DSS Scoping – Determines what organization system components and computer networks are in scope for PCI DSS assessment.
2. Assessing – Exam and assess the compliance of system component and computer networks in scope following the testing procedures for each PCI DSS Requirement.
3. Reporting – PCI DSS Qualified Security Assessor (QSA) and/or business submits required documentation to validate compliance with PCI DSS, including documentation of all compensating controls.
4. Clarifications – QSA and/or business clarifies ROC and/or SAQ, if needed, at the request of the acquiring bank, or payment card brand.
This week I’ll look at the remaining 2 steps.
Reports are the official mechanism by which a business validates compliance with PCI DSS to your acquiring bank or payment card brand. Depending on the payment card brand and the acquiring bank, any of the following reports may be required: Report on Compliance (ROC); Self-Assessment Questionnaire (SAQ); Quarterly scanning reports from Approved Security Vendors (“ASV”), if required; and possible others.
The form and extent of your validation reporting is made by your acquiring bank in accordance with the validation requirements set by the payment card brands. Visa, for example, divides merchants into 4 different risk levels based on the aggregate Visa transaction volume over a 12 –month period. The more transactions a merchant handles, the greater the validation reporting requirements:
|Level/Tier||Merchant Criteria||Validation Requirements|
|Level 1||Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region|| • Annual ROC by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification.
• Quarterly network scan by ASV
|Level 2||Merchants processing 1 million to 6 million Visa transactions annually (all channels)||• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
|Level 3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually||• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
|Level 4||Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually||• Annual SAQ recommended
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by merchant bank
A merchant that suffers a data breach is automatically increased a level and may be required to fulfill the Level 1 validation requirements, even though it does not handle over 6 million Visa transactions. MasterCard, Discover, and American Express also base validation requirements on transaction volume, although American Express breaks down the numbers a little differently.
Report on Compliance (ROC)
ROC’s are the most detailed and complicated of the validation reports required by the PCI Security Standards Counsel. ROC’s provide details about the organizations’ environment, assessment methodology, and documents the organization’s compliance for each PCI DSS Requirement.
The Official Template of the ROC for use with PCI DSS v.3.0 needs to be used by any QSA completing a ROC PCI DSS assessment for a business. The template includes the following sections:
- Executive Summary – Description of organization’s payment card business and high level network diagram.
- Description of Scope of Work and Approach Taken– Description of how the assessment was made, environment, network segmentation used, details of each sample set selected and tested, wholly owned or international entities requiring PCI DSS compliance, wireless networks or applications that could impact security of cardholder data, and version of PCI DSS used to conduct the assessment.
- Details about Reviewed Environment – Diagram of each network, description of CDE cardholder data environment (“CDE”), list of all hardware and software in CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, and details of managed service providers.
- Contact Information and Report Date
- Quarterly Scan Results – Summary of four most recent ASV scan results
- Findings and Observations – Detailed findings on each requirement and sub-requirement, including explanation of all N/A responses and validation of all compensating controls.
As you can likely tell, the ROC is enormously complicated and expensive. ROC’s are usually only required for entities that handle a significant number of transactions (over 6 million for Visa, MasterCard and Discover) or who have previously had a data breach. They should only be completed by a QSA or ISA. If you need a QSA, check out this list of approved QSA’s here.
Self Assessment Questionnaires (SAQ)
Most small businesses have less than 6 million credit card transactions and only need to file an annual SAQ rather than a ROC. A SAQ includes a series of yes-or-no questions about your security posture and practices with respect to each applicable PCI DSS requirement. If you answer “no” to a question, the business may be required to document the remediation steps that will be taken to correct the defect and when the remedial steps will be complete.
The type of SAQ that you business needs to complete depends on the manner in which you accept credit cards:
|A||Card-not-present merchants (e-commerce or mail/telephone-order) that fully outsource all cardholder data functions to PCI DSS compliant third-party service providers. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Not applicable to face-to-face channels.|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Applicable only to e-commerce channels.|
|B||Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.Not applicable to e-commerce channels.
|B-IP||Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor. No electronic cardholder data storage.Not applicable to e-commerce channels.|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.|
|C||Merchants with payment application systems connected to the Internet. No electronic cardholder data storage.Not applicable to e-commerce channels.|
|P2PE-HW||Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.Not applicable to e-commerce channels.|
|D||SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.|
Each SAQ is only intended to be used by the merchant that fits the description, and the questions are tailored to the PCI DSS requirements suitable to that type of credit card processing. As such, some of the questionnaires have fewer questions and are easier to complete than others because the merchant has less contact with credit card data. Choose the questionnaire that fits your business. If you’re not sure what type of SAQ to fill out, check with your acquiring bank that can provide guidance. Many processors will even fill out the self-questionnaire for you (usually for a fee), but you should make sure to review to ensure that it is the right one.
Quarterly Network Scans
As discussed last week, an organization usually has to have quarterly scans of their systems by an Approved Scanning Vendor (ASV) to check for internal and external vulnerabilities. See Credit Card Security for Business (part I) at no.11, see also PCI DSS Requirements and Assessment Procedures at Req. 11. Hire an ASV to conduct your quarterly scanning and follow the recommendations of your acquiring bank regarding the form and process for reporting compliance.
Attestation of Compliance
The Attestation of Compliance (“Attestation”) is your organization’s declaration that the relevant PCI requirements have been met. There are 9 different versions of the Attestation, depending on which specific SAQ or ROC use. If your business uses a ROC, use the Attestation for ROC’s. If it uses SAQ A then use Attestation for SAQ A. And so on.
Each Attestation requires your business to provide:
- Details about the business and the individual conducting the PCI DSS Assessment;
- Executive summary of the manner in which your business accepts credit cards, the CDE covered by the assessment, third-party service providers, and your eligibility to use the validation report being used (ROC, SAQ A, SAQ A-EP, etc.);
- Date that validation report was completed;
- Whether your business complies with all of the PCI DSS requirements specified in the validation report;
- Action Plan for any Non-Compliant Requirements.
The Attestation should be accurate and without misrepresentations regarding that status of your PCI DSS compliance. It’s far better to identify certain deficiencies and develop a plan for mediating them, rather than making a false statement to secure compliance.
Occasionally, the acquiring bank or credit card brand will ask for a clarification regarding some aspect of your PCI DSS compliance. Do not panic! This is not uncommon. Cooperate fully and be as helpful as possible to understand and solve the problem. Forward copies of any documents requested, and make sure to properly document any request, your answer, and any documents that are sent.
If your acquiring bank wants to conduct a PCI DSS Audit, comply fully. A PCI DSS Audit usually occurs when a data breach is suspected. If notified of an upcoming audit, gather all relevant information related to PCI DSS compliance and have it ready for the inspectors when they arrive. You want the audit team to rest assured that you take PCI DSS compliance seriously and are on-board for full cooperation. This will make the process smoother and get your business up and running again as soon as possible.
The audit team comes in and checks to see whether a security breach has occurred and the circumstances of the breach. The auditors also determine whether your business is actually compliant with PCI DSS requirements. If your business meets PCI DSS requirements, you are not responsible for any fines, credit card replacement fees, or fraud refunds that result from the breach. If your business is not compliant, you are potentially on the hook for any of these costs.
That’s it for this week. Thanks for reading. Let me know if you have any questions regarding PCI DSS or anything else.