For such a short question, you may be reading this because you are struggling to find a clear answer. Many organizations may be confused about what their requirements from a PCI perspective are, and with that confusion, may not even know who they need to ask to clear it up. The question of whether you need a PCI QSA onsite assessment performed is a significant one, as it has significant implications from a cost and resource perspective. We’ll provide some foundational background information and then provide some guidance of how to answer this question.
If you accept credit cards for payments, you need to be compliant with the PCI Data Security Standard (DSS). But what does that mean? What level merchant are you and what are your compliance requirements at that particular level? Your acquiring bank is the authoritative source on these questions. This is the bank or financial institution that processes credit card transactions on your behalf, exchanging funds with issuing banks on your behalf. They are also the ones that determine what merchant level you fall into and what proof of compliance you need to provide to them to continue processing credit card transactions.
But many organizations might not even be sure exactly who their acquiring bank is or who they need to contact at their acquiring bank. Most acquirers will have a designated representative that helps you deal with compliance-related questions, so we recommend finding who this person is and saving their contact information in a convenient location. You should be contacting this person for questions like:
- Can I complete separate SAQs for the different payment channels in my organization?
- What level merchant (or service provider) am I?
- What documentation do you require for me to prove compliance with PCI DSS?
- When is my documentation due? How does it need to be submitted?
- Will this compensating control be accepted?
- I’ve had a data breach, what should from a reporting perspective to stay in compliance?
Different Ways to Prove Compliance – SAQ vs. RoC
The required proof of compliance can be either a Self Assessment Questionnaire (SAQ) or Report on Compliance (RoC) , where an SAQ is simply a list of yes/no questions completed by the merchant organization or a third-party on their behalf and a RoC requires a PCI QSA onsite assessment. This onsite assessment consists of inspection and validation to confirm the security controls in place to protect cardholder data at the assessed organization. It must be conducted by a PCI Qualified Security Assessor (QSA) employed by a QSA-certified company, and an onsite portion of the assessment is mandatory.
As we mentioned, your acquirer should be the one to tell you what your reporting requirements. This is determined by your merchant level or service provider level. These levels, set by the payment brands (e.g. American Express, Visa, etc.), range from 1 to 4. These levels are primarily based on transaction volume, meaning that organizations with the highest number of transactions fall into Level 1 and organizations with lower volumes of transactions will fall into the lower levels. Each individual payment brand has different definitions for each level and some don’t even use 4 levels, but we’ll save that for a more in-depth blog. The important thing to note here is that your acquirer is the boss when it comes to what level merchant you are and what your responsibilities are. It should be noted that in some scenarios, organizations will elect to adhere to a higher standard of compliance and reporting voluntarily or based on customer requirements.
But what about service providers?
We talked a lot about merchants throughout this article, so it may not have been obvious that all this also applies to service providers, for the most part. Service providers can have acquirers that mandate their reporting requirements, but they could also interact directly with the payment brands to determine this. They might even be responsible for deciding their reporting requirements themselves, and then answering to their customers (merchants or other service providers) for the legitimacy of this decision. Service providers may only need to fill out an SAQ (although it would have to be an SAQ D) or they may be required to have a PCI QSA onsite assessment performed. There are also service provider levels defined by the payment brands, just like merchant levels, to help guide this decision-making process.
Bottom Line: The only way to answer the question of whether your organization needs a PCI QSA onsite assessment that results in a full Report on Compliance (RoC) is to ask your acquirer.