A Client Just Told Me to Get PCI Certified, What Do I Do?

So you just had a client tell you that you need to be PCI certified, what comes next? First, every situation is slightly different, so it’s always a good idea to jump on a quick call with someone who is familiar with PCI to discuss your options, what’s being required of you, and what the best approach might be for your organization. You can always reach out to us to set up a quick call and talk through it. However, you may want to do some more research first, so let’s dive into a little more detail.

Types of Compliance

First, there are two types of PCI compliance. The first is for merchant services, for example how your company processes credit cards in payment for services rendered. This would make you a merchant. If you have a customer of yours reaching out to you, it is likely because you are a service provider (which is the next type we discuss in the paragraph below). In general, if you are required to meet PCI DSS standards as a merchant, it would be your bank telling you. If that is the case, skip this blog for now and jump over to our blog on the difference between an SAQ and RoC.

The second type of PCI compliance is directly related to your role in the services you provide to this client. You are being asked if you are PCI-compliant as a Service Provider. This means that the services you provide to customers are performed in a manner that is compliant with PCI. How many of the PCI requirements will fall on your organization is dictated by what particular services you provide. For example, if you are simply providing them with a datacenter and have no logon rights to any customer system, your obligations would be pretty much limited to physical security. However, if you are a full-suite managed services provider (MSP) for this customer and are maintaining a database containing cardholder data for them, obviously there are quite a few controls that will be applicable.

Level of Audit

The next thing that needs to be determined is what type of audit you need, based on what level the client is requiring for you to be PCI certified. I recommend going back to the customer and asking which of the following three is acceptable to them:

  1. Can you just fill out an SAQ and provide it to them? –  A self assessment questionnaire (SAQ) is simply a checklist of PCI requirements that you mark and sign off if you are meeting. This approach can be completed by your team internally with no third-party engagement.
  2. Can you do an SAQ with the assistance of a QSA? – In the self-assessment questionnaire, there is a spot for a certified QSA to sign off that they helped you interpret and apply requirements for your organization. This provides credibility to the report, since it is signed by a QSA, and can really help make sure you are answering everything appropriately. It gives you a chance to lean on a QSA to help you determine your scope and provide justification for any control that can be marked as non-applicable. A key differentiator between this option and option 3 below, is that we are not validating anything technically, it is a 100% interview-driven approach. So if I ask what your password length requirement is, and you say 8 characters, we mark that as a ‘yes’ and move on. This assessment typically costs around $8,000, depending on the size of your organization and the scope of PCI requirements.
  3. Do you need to be a Level-1 Service Provider with a complete Report on Compliance? – This is the “worst case scenario” for most organizations, as it requires a significant investment of time and resources, both in preparation and during an assessment. If a Report on Compliance (RoC) is required, you need a full onsite audit from a certified QSA, where every security control used to meet every requirement is validated and evidence is collected. Typically this is a 2-3 week engagement and can cost around $30,000, again depending on scope/size of the project.

Hopefully, this quick overview will help you be more informed and help you have these conversations surrounding PCI with your current customers, as it comes up. In general, it’s always a good idea to “phone-a-friend” when you need to, and talk to a QSA company about the best approach for your scenario. You’ll usually need to go back to whoever is requesting you to be PCI certified, and clarify which of these 3 scenarios they’re expecting.