Each card brand maintains their own Payment Card Industry (PCI) Data Security Standard (DSS) compliance and validation requirements based on the number of transactions stored, processed, or transmitted. Typically, Level 1 Merchants ( 6 million transactions annually) and Service Providers ( 300,000 transactions annually) are required to validate compliance with the PCI DSS through an onsite assessment. Beginning on June 20, 2012, MasterCard will also require that Level 2 Merchants (1-6 million annual transactions) either use staff that has completed PCI Internal Security Assessor (ISA) training to conduct a self-assessment or utilize a QSA to conduct the onsite assessment.
PCI DSS compliance requirements can typically be found in merchant agreements with acquiring banks and within contractual agreements for service providers. Federal and state governments have added their own compliance requirements, including the GLBA, FTC Act and state breach notification laws.
SecureState’s approach to a PCI Onsite Assessment follows a phased approach to make the most effective and efficient use of time. The goals are to:
- Review documentation prior to the onsite visit to minimize disruptions
- Keep you up-to-date on evolving PCI requirements, threats, and liabilities
- Provide weekly status updates on remediation requirements
- Avoid damages often totaling millions of dollars that could result from a cardholder data compromise
- Partner with your organization to ensure full compliance and a secure cardholder data environment
The stages of our PCI Onsite Assessment, with limited descriptions, are as follows:
- Introduce engagement participants and define roles
- Review assessment activities
- Establish schedules
- Collect, review, and assess security policies, procedures, and diagrams
- Review and confirm scoping limitations to the PCI cardholder environment.
- Interview key personnel on compliance activities.
- Sample cardholder locations, equipment, and devices associated with processing cardholder information, if necessary, per section below.
- Document existing controls
- Assess compliance of existing controls
- Identify gaps and provide remediation advice
- Deliver the RoC and AoC