The different SAQ types are provided on the PCI Security Standards Council website at the following location:
If you are still unsure, we highly recommend confirming with your Acquiring bank before starting completion of the SAQ.Read more link text
No. The belief that outsourcing card processing makes an organisation automatically compliant is one of the top 10 myths listed on the PCI Security Standards Council website:
Organisations still need to address:
• Policies and procedures for cardholder transactions and data processing.
• Protecting cardholder data when you receive it
• Processing charge backs and refunds.
• Ensure that providers’ applications and card payment terminals comply with respective PCI standards
Outsourcing card processing to PCI compliant Gateways (such as Eway) can be a good solution for small to medium enterprises and can simplify the process of becoming compliant.Read more link text
Non-compliance increases the risk of a serious security breach and can severely damage your reputation and your ability to conduct business effectively. In addition, non-compliance could result in non-compliance fines from your acquirer on an ongoing basis.
Furthermore, large card scheme fines for non-compliance following a data breach are common practice. The PCI Security Standards Council provide detailed information on the risks associated with non-compliance:
https://www.pcisecuritystandards.org/security_standards/why_comply.phpRead more link text
A key step in the Scoping stage is documenting cardholder data flows via a dataflow diagram. The objective is to show all cardholder data flows and ensure that any network segmentation is effective at isolating the cardholder data environment.
An original "As-Is" flow should be analysed. Once unnecessary data / unnecessary storage of cardholder data has been identified, a "To-be" cardholder data flow diagram should be documented which hopefully clearly defines the cardholder data environment (CDE) enabling an organisation to reduce the scope of PCI.Read more link text
Short answer –it varies. The overall cost of a PCI Project (from non-compliant to compliant state) can be anywhere from a few thousand dollars to tens of millions of dollars, depending on the type and size of the business, the number of card transactions, the approach to compliance, the current state of security in the organisation etc.
Some good resources on the topic can be found here:
- http://mspmentor.net/managed-security-services/whats-true-cost-pci-compliance-stillsecure-calculates- - answers
Remember that organisations are required to comply with PCI DSS on an annual basis. It is ongoing, and as such, should be budgeted for on an annual basis, not just a once off project.Read more link text
The short answer is no, you do not have to hire a QSA - regardless of the level your organisation is categorised as according to PCI. Even if your organisation is level 1, your annual report on compliance can be completed by a competent internal auditor, preferably one who has obtained the PCI SSC Internal Security Assessor (“ISA”) certification.
However, it is highly recommended. QSA's have a strong understanding of the standard, can help you identify and remediate gaps and can assist with making key scoping decisions which can ensure your organisation gets compliant fast in a way that is cost effective and possibly even improves your underlying business processes.Read more link text
The validation requirements differ based on whether your organisation is a Level 1, 2, 3 or 4 merchant. Level 1 merchants are required to complete an Annual Report on Compliance (“ROC”) by either a Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company.
All levels are required to get Quarterly network scans completed by an ASV. All levels, except level 4 are required to complete the Attestation of Compliance Form.
Please refer to ‘Am I am Level 1, Level 2, Level 3 or Level 4 merchant?’ above for a full list of validation requirements.Read more link text
There are four different merchant levels for PCI DSS, and the compliance program to be followed (and the degree of complexity involved with being compliant) depends on the classification level of your organisation. The level of your organisation is dependent upon the number of payment (inclusive of credit, debit and prepaid) transactions processed annually for each of the governing payment card providers. This is set by the card providers and not by the PCI DSS Security Standards Council.
An explanation of each level for each card provider is outlined below:
American Express: https://www209.americanexpress.com/merchant/services/en_US/data-security
As an example, here are the levels from VISA:
1 - Compromised entities may be escalated at regional discretion
2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.Read more link text
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
A full list of ASVs is maintained by the PCI Security Standards Council here:
https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.phpRead more link text
Qualified Security Assessor (QSA) companies are organizations that have been qualified by the Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.
A full list of QSAs is maintained by the PCI Security Standards Council here:
https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.phpRead more link text
A service provider for the purposes of PCI DSS is a third party that provides services to another organisation where the services provided involves handing credit cards and impact the security of that organisation’s customer credit card details, e.g. Paypal.
The official description of a Service Provider from the PCI Security Standards Council is a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”Read more link text
An acquiring bank (or acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant Examples of Acquiring banks in Australia are ANZ, CBA, Westpac and NAB.Read more link text
All organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards such as Visa or Mastercard need to be compliant with the PCI DSS Standard.Read more link text
A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.Read more link text
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.
It was originally formed by Visa, Mastercard, American Express, Discover and JCB in 2004. The updated versions are:
- Version 1.2 was released on October 1, 2008
- Version 2.0 was released in October 2010
- Version 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2016.
The PCI DSS specifies 12 requirements for compliance, organized into six logically related groups called "control objectives" which are:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy.