Article

Different Approaches to PCI Compliance

Ben Downton
12 min read

The PCI DSS standard remains the same, regardless of your organization. However, there are some differences in how to approach compliance. This article discusses these.

Merchants are the most common type of organization affected by PCI compliance. Merchants are organizations that process card transactions via any number of channels. They can range from high-street stores and energy providers to online shops and charities.

Service providers are defined as any organization that stores, processes, or transmits cardholder data on behalf of another. This also includes companies that could impact the security of that cardholder data. This covers various types of organizations, including:

  • Hosting providers
  • Call centers
  • Network support
  • Payment processing
  • Media storage centers
  • Data destruction

Some organizations can fall into both categories, handling card payments for themselves and also on behalf of other companies.

What level are you?

The first thing to establish as an organization is what level you are under PCI DSS guidelines. This level is normally set based on the number of transactions made per year. However it can be increased if you’re considered to be a high risk organization (as a result of past breaches).

This is described in Figure 1, though it must be stressed this table is just a summary, and organizations should seek expert guidance.

Requirements

Change

1

6 million+ transactions
Compromised Entity

- Annual audit and Report on Compliance (RoC)

- Attestation of Compliance (AoC)

- Quarterly external vulnerability scan by an ASV

2

1-6 million transactions

- Self-Assessment Questionnaire (SAQ) or annual audit and RoC

- Attestation of Compliance (AoC)

- Quarterly external vulnerability scan by an ASV

3

20,000-1 million e-commerce transactions

- Self-Assessment Questionnaire (SAQ)

- Attestation of Compliance (AoC)

- Quarterly external vulnerability scan by an ASV

4

<20,000 e-commerce transactions
<1 million otherwise

- Self-Assessment Questionnaire (SAQ) recommended

- Attestation of Compliance (AoC)

- Quarterly external vulnerability scan by an ASV if applicable

Service Provider Level

Criteria

Validation

1

300,000+ transactions annually

- Annual audit and Report on Compliance (RoC)

- Quarterly external vulnerability scan by an ASV

2

<300,000 transactions annually

- Self-Assessment Questionnaire (SAQ) D

- Quarterly external vulnerability scan by an ASV

Figure 1. Summary of Merchant and Service Provider Levels

It should also be noted this is based on the number of transactions only, not the value of those transactions. This is because a breach of a single card is worth the same to a criminal, regardless of how much was paid in the original transaction.

The Merchant or Service Provider Level doesn’t denote how compliant you must be, or which parts of the standard apply. The PCI DSS applies whether you are processing one card or one billion cards. What changes is how you obtain and prove that compliance. For Level 1, this will require a full audit by an independent PCI QSA assessor - lower levels may submit a Self-Assessment Questionnaire (SAQ).

For merchants, there are four levels, with Level 1 being the highest and Level 4 the lowest. The guidance on how to determine each level is set by the card brands. However, ultimately it’s the merchant acquirer (also known as the acquiring bank) who sets this level. If you’re in any doubt, please contact your acquirer.

The level for merchants is also based on the transactions that are processed by that particular acquirer and aren’t aggregated. Merchants with multiple payment channels and different acquirers may find they’re processing enough in total to warrant being a Level 1 Merchant, but in fact only have to validate to each acquirer as a Level 2.

For service providers, there are only two levels - Level 1 and Level 2. Unlike merchants, service providers must look at the aggregate number of transactions per year to determine which level they are.

Compliance Validation

One of the key differences between merchants and service providers is how compliance is validated. Merchants validate their compliance by submitting evidence to their acquirer, whereas service providers must submit evidence to the individual card brands (Visa, MasterCard, American Express, JCB, and Discover).

Both Level 1 merchants and service providers can only validate compliance with an independent assessment by a PCI QSA. Level 2 (and below) merchants and service providers may be able to complete an SAQ to validate compliance.

For merchants, there are multiple SAQs, each of which represents a subset of PCI requirements and can be completed if certain criteria are met. For service providers who wish to self-assess (and merchants who don’t meet the criteria for any other SAQs) SAQ D must be completed. SAQ D constitutes the full set of PCI requirements.

A common misconception is that there’s such thing as partial compliance. As far as PCI DSS assessments go, you’re either compliant or non-compliant. This has a number of ramifications.

Firstly, as a Merchant, you can’t obtain compliance for certain parts of your environment. You must validate the organization as a whole. We’ve seen many merchants with multi-faceted organizations use different SAQs to determine which parts of the organization are in line with PCI DSS requirements. Whilst this approach is a useful aid, any single non-compliance will mean the entire organization is non-compliant. Furthermore, a single assessment for validation must cover all of these environments together.

Secondly, there can’t be ‘PCI compliant’ solutions in place that negate the need for compliance. This is because the standard applies to the environment in which cardholder data is handled.

To put this into context, a non-compliant Service Provider that managed a call center for their customer might state they had a ‘compliant voice solution’. This statement is misleading as, whilst the solution may support their compliance efforts, it doesn’t remove the rest of the environment (such as workstations, call operators, data centers, and so on) from the scope of compliance. The Service Provider is still non-compliant and still affects their customer’s compliance program.

One point to note is that, whilst merchants assess the organization as a whole, service providers validate compliance for one, some, or all of the services they offer. A service provider may be able to offer a PCI-compliant dedicated hosting solution, for example, whereas other services (e.g. their shared hosting platforms) may not be compliant.

Evidence of Validation

There’s no such thing as an official ‘Certificate of Compliance’, though there’s certainly demand for it from organizations looking to promote themselves as compliant. This has led to some assessor companies offering rather flashy-looking pieces of paper – great for marketing material but not much else.

The real proof of compliance is a signed and submitted Attestation of Compliance (AoC). Completed by an officer of the company responsible for compliance (typically the CFO or similar), this attestation certifies all of the relevant PCI requirements have been met. If the assessment that took place was an audit, this will also be countersigned by the lead QSA responsible for the assessment.

Service providers may provide a completed AoC to their customers, however the card brands also maintain a list of compliant service providers on the appropriate web pages. This lists the service provider, compliance date (and whether self-assessed or independently audited), and other important information. It’s also concrete evidence the service provider’s compliant, though the customer should take care that compliance was attained for the service being provided.

For organizations that validate as both a merchant and a service provider, the appropriate AoC should be provided. Validating as a merchant only demonstrates you’re handling your own card details in a compliant manner – it doesn’t validate the service that you offer to customers will also be compliant.

Scope of assessments

Establishing the scope of the Cardholder Data Environment (CDE) and of an assessment is an extremely challenging issue. The standard is relatively clear with quite prescriptive controls, but a minority of those requirements need interpretation.

A significant portion of the work we do to help clients become compliant focuses on establishing, identifying changes to, and reducing the scope of compliance. Techniques have been discussed at previous Briefings and in the PCI for Merchants paper. This section will cover how the scope of assessments can be affected by the use of compliant and non-compliant Service Providers.

Service providers that aren’t compliant have two options open to them:

1.   Undergo a PCI DSS assessment to validate compliance

2.   Have their services reviewed as part of each customer’s PCI DSS assessment

A merchant that’s using a non-compliant service provider will find that the scope of their PCI DSS environment has been increased, and may actually harm the Merchant’s current PCI compliant status.

From a merchant’s perspective, it’s obviously preferable to use a PCI-compliant service provider. Bringing in a service provider’s environment to the scope of the merchant’s compliance program can be costly. Despite Right to Audit clauses commonly found in outsourcing contracts, obtaining full access to a service provider’s systems and data may be difficult - particularly for shared environments where separating an individual customer’s data may be difficult or impossible.

There’s great value in obtaining PCI DSS compliance as a service provider. Compliance offers a business benefit for service providers that are able to offer it to their customers. As merchants seek to outsource more of their cardholder data functions and reduce their compliance burden, service providers that can provide compliant services are uniquely positioned. Plus, with validated compliance, the cost in resourcing and accommodating multiple audits by multiple customers is significantly reduced.

Summary

We hope this article’s answered some of the basic questions about how merchants and service providers go about attaining (and maintaining) PCI compliance. Compliance benefits both service providers, as a key business differentiator, and merchants who make use of these services in supporting their own compliance efforts.

Sign up for the latest insights

Accreditations & Certificates

F-Secure Consulting is a value-added supplier and have a B-BBEE procurement recognition level of 100%. Learn more

Follow us
@fsecure_consult F-Secure-Consulting /fsecurelabs