If a client or your bank has told you to get compliant, or if you are an entrepreneur starting a business and think you might need to comply, you’ve come to the right place.
What is PCI?
The first PCI standard was created in 2004. The five major card brands VISA, MasterCard, American Express and Discover had until that point separate information security programs that merchants were supposed to follow to protect card data. To cause less confusion and increase the security of the payment ecosystem, the card brands decided to come together and create one standard to rule them all.
PCI applies to any organization that captures, processes, transmits or stores cardholder data. It is usually enforced by your acquiring bank through your merchant agreement. If you run an online business that accepts card payments for products, or if you have a brick and mortar store accepting payments on a payment terminal, you must comply to the PCI DSS. If your business in any way comes into contact with payment cards bearing the logo of the five major card brands you must comply.
Merchant vs Service Providers
If you need to comply you must first determine whether you are a Merchant or Service Provider. This will determine your reporting requirements and have an impact on your applicable controls.
- Merchant: For the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
- Service Provider: A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.
In some cases, you may be both. For example, if you were a hosting provider that had customers running ecommerce sites and you also accepted cardholder data.
PCI Levels
Once you have determined whether you are a Merchant or Service Provider (or both), we will move on to determining our level. Levels depend on your annual transaction volume and determine your reporting requirements and, most importantly, whether you can self assess your compliance or if you will need the services of a QSA to perform a full onsite assessment referred to as a ROC (Report on Compliance). Use the tables below to work out your level.
As with a lot of things in PCI, you should ratify this with your bank or the payment brand you deal with. Some banks require ROC assessments for level 2 merchants or have different definitions of the levels.
SAQ vs ROC Assessments
If you are a level one merchant or service provider, you cannot self-assess with an SAQ (Self Assessment Questionnaire) and you will need to complete a ROC (Report on Compliance) assessment with a QSA. I am a QSA certified to complete assessments in Australia and New Zealand, you can reach me using the Contact page (shameless plug). If you are from elsewhere or just want to use someone else you can find a local QSA on the PCI SSC Website.
If you are level 2-4 (or 2 service provider), you can use the applicable SAQ to validate your compliance. Each SAQ is made up of requirements from the full PCI DSS standard that the PCI SSC have determined as applicable to certain environments. Please note this is accurate at the time of writing for PCI V3.2.1.
The easiest way to see which SAQ best applies to your environment is to follow this handy chart from the PCI SSC guideline document Self-Assessment Questionnaire Instructions and Guidelines.
Each SAQ has eligibility criteria you will need to meet. You can find the full copies of each SAQ with the criteria in the council’s document library.
Merchants who have multiple payment channels may need to complete multiple SAQs or complete an SAQ D with the applicable requirements. If you are having trouble determining which SAQ(s) applies to you, reach out your acquirer, payment brand or a QSA.
IMPORTANT: Consult your acquirer or payment brand, they will make the final decision on your reporting requirements.
Once you have determined your reporting requirements (and confirmed with your acquirer or payment brand!), you are ready to start look at scoping your environment.
Key takeaways
- PCI applies when you process, store or transmit cardholder data.
- Merchants and Service Providers have different levels with different reporting requirements.
- SAQs can be used to assess compliance to a limited amount of requirements of the PCI DSS in different types of environments.
- You should run things that have a material affect on your compliance by your acquiring bank or payment brand.