Monthly Archives: June 2009

Q: What Volume Determines PCI DSS Requirements? A: Read on

This is a question as a PCI QSA i'm always asked, that is, "What volume or transaction level will ultimately determine my PCI DSS compliance requirements?

Well, here you go:

For Merchants, this is the information you need to know about volume and transaction levels.

For Service Providers, this is the information  you need to know about volume and transaction levels.

Keep in mind that for service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, most, if not all, will essentially have to undertake a Level 1 PCI DSS annual on-site assessment, which culminates with the issuance of a PCI DSS Report on Compliance, simply known as the ROC.

PCI DSS Requirements for Service Providers | AMEX | JCB | Discover | VISA | MasterCard

If your organization has been identified as a "service provider" for purposes of PCI DSS compliance, then here is what you need to know. First and foremost, VISA's requirements for PCI DSS compliance are listed below. Notice something similar in the requirements? Well, in short, all Service Providers have to have an annual on-site assessment done by a Qualified Security Assessor, known as a QSA.

Visa Service Provider Validation Requirements Defined.

Level Canada, Europe, USA
1
  • Annual on-site review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: SAQ required and must be reviewed by QSA)
2
  • Annual on-site review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: Must be reviewed by QSA)
3
  • Annual on-site review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: Must be reviewed by QSA)