PCI Compliance Services

The PCI DSS is a set of best practice security measures to ensure the protection of payment card account data (customers’ cardholder data and sensitive authentication data) and the security of any environment where payment card account data is accepted, processed, stored, and/or transmitted. Compliance with the PCI DSS involves implementing, operating, and maintaining those security measures from the standard that are applicable to your business’s cardholder data environment(s) to keep systems and payment card account data secure and to help prevent, detect, and respond to data breaches.

The PCI DSS itself isn’t about certification; rather, it is about following (complying with) the security measures and controls contained in the standard. The PCI DSS applies to all organizations involved in payment card processing (including merchants, processors, acquirers, issuers, and service providers), as well as to all other organizations that store, process, or transmit (or could impact the security of) payment card account data.

Some organizations may be required to validate their compliance with the PCI DSS. Compliance validation is the annual process of performing an assessment of the organization’s PCI DSS compliance (either through self-assessment or as a formal assessment undertaken by a PCI Qualified Security Assessor), completing the applicable assessment reporting document and associated PCI DSS Attestation of Compliance, and submitting those validation documents (including an Approved Scanning Vendor (ASV) external vulnerability scan report, if required) to the relevant compliance accepting entity. Validation is an annual, point-in-time declaration of the organization’s compliance with the PCI DSS.

Whether an organization is in scope for and subject to the PCI DSS requirement to validate their compliance is at the discretion of those organizations that manage PCI DSS compliance programs, such as the payment card brands and acquiring banks. Validation requirements may be specified in the payment card brands’ rules or other standards and differ for certain types of organizations or are based on the volume of transactions processed.

There are two main ways an organization can determine PCI compliance.

1. Self-Assessment Questionnaire (SAQ): An SAQ is a form with questions on either all or a subset of the PCI DSS requirements. There are different SAQ versions for merchants and service providers. Each merchant SAQ addresses specific common payment processing methods. SAQs are intended for use by smaller organizations (processing smaller volumes of account data) to complete their assessment of and report on their compliance.
2. Formal PCI DSS assessment resulting in the completion of a Report on Compliance (ROC): For larger organizations processing a high volume of transactions, or those organizations mandated by the payment card brands and acquiring banks to perform a formal assessment of PCI DSS compliance. The compliance assessment is performed by a PCI Qualified Security Assessor (QSA).

Payment card brands may permit the performance of the formal assessment by a PCI Internal Security Assessor (ISA) or other suitably qualified internal resource. The formal assessment is similar to an audit; it is an in-depth review of each applicable PCI DSS requirement, where the QSA must perform the expected testing set out in the PCI DSS to gather sufficient evidence (through examination, observation, or interview) to enable them to determine that a requirement has been met.

Whether an organization is able to validate its compliance through self-assessment or is required to undertake a formal assessment is determined by those organizations that manage PCI DSS compliance programs, such as the payment card brands and acquiring banks. Validation requirements may be specified in the payment card brands’ rules or other standards and differ for certain types of organizations or are based on the volume of transactions processed.

Proving PCI DSS compliance can be equated with the annual assessment and validation of compliance. However, compliance with the PCI DSS should not be thought of as a one-time or annual test; rather, it is an ongoing effort and a status to be continually maintained.

The high-level steps to assess and thereby prove compliance with the PCI DSS are:

1. Assign responsibility and designate resources
2. Determine your compliance validation requirement
3. Understand the Requirements
4. Confirm Your Assessment Scope
5. Perform the Assessment
6. Remediate Gaps
7. Complete Reporting and Validation Documentation
8. Maintain Compliance
9. Review and Address Change

Protecting payment card account data from unauthorized use, exposure, and potential fraud is key in delivering the trust expected by customers and partners. If customers or partners find out security is lax for example, as a result of a data breach or is not up to the standard expected, they might take their business elsewhere.

The potential consequences and costs of non-compliance with the PCI DSS include:

• For merchants, the potential for non-compliance charges levied by acquirer(s) / merchant services provider.
• For service providers, the possibility of not meeting contractual obligations.
• May be in breach of personal data protection regulations, such as the EU GDPR.

If a data breach occurs, costs can be encountered in several areas:

• Notification – serving notice to data subjects, determining regulatory requirements, and communicating with regulators.
• Post-breach response: communicating with and supporting affected customers, recompense and credit monitoring/ID protection costs, legal expenses, and regulatory fines.
• Detection and escalation – forensics/investigations, crisis management, boards/executive communications.
• Revenue and lost opportunities – service disruption and downtime, customer attrition, and reputation/goodwill losses.
• Post-breach recovery, remediation, and compliance assessment costs.
• Penalties levied by the payment card brands.
• Penalties levied by data protection regulators for breach of personal data.

Achieving (and maintaining) PCI DSS compliance carries a range of up-front and ongoing costs. The cost and effort will vary depending on an organization’s specific situation. What you can expect to pay depends on variables such as:.

• The size, location, and nature of the organization.
• The number of card-based transactions processed (or support the processing of) annually.
• How process card-based payments are captured (i.e., in-person, via mail order or telephone, or online) – if a merchant business.
• The services offered, the organization’s role in payment card processing, and the potential to impact the security of account data - if the organization is a third-party service provider.
• The complexity of the organization's network, systems, and security setup that supports the payment card acceptance and/or processing.

Potential cost areas include:

• Annual PCI DSS Assessment
• Security Testing
• Network, hardware, software, and technology spend
• Implementation and remediation
• Documentation and training
• Resource/Time commitments