Tag Archives: Service Provider

8 PCI Compliance Requirements Every Business Needs to Know About

PCI compliance requirements are affecting virtually every industry and business sector, ultimately requiring organizations to undergo extensive measures for ensuring adherence to the Payment Card Industry Data Security Standards (PCI DSS) provisions. It’s thus important for merchants, service providers, and all other entities involved in the storage, processing, and/or transmission of cardholder data to understand what PCI compliance really means, that is, the “who, what, when, where, and why” of this ever-growing and expanding framework.  Charles Denyer, a noted Payment Card Industry Qualified Security Assessor (PCI-QSA), discusses the following 8 PCI compliance requirements that every business should know about:

1. Compliance is mandatory – Are you an organization that stores, processes, and/or transmits cardholder data, or have some type of credible nexus with such cardholder data? If so, then welcome to the world of PCI DSS compliance, which seems to be growing and expanding more and more.  For purposes of PCI, organizations are identified as either merchants or service providers, and along with these designations come varying compliance requirements, ranging from onsite assessments by a Payment Card Industry Qualified Security Assessor (PCI-QSA) to self-assessment procedures via the Self-Assessment Questionnaires (SAQ) available from the PCI Security Standards Council (PCI SSC).  

2. Policies and Procedures are a Must – One of the biggest mistakes I see as a PCI-QSA is merchants and service providers failing to understanding the fundamental importance of having documented policies and procedures in place for PCI compliance.  Sure, there are many technical requirements that must be met – no question about it – but the policy requirements can be just as arduous and taxing to complete. I recommend finding high-quality PCI compliance polices, such as those provided by pcipolicyportal.com.

3. Quarterly Scanning – Compliance with PCI for all merchants and service providers (regardless of transaction level) also consists of quarterly network scans, also known as "vulnerability scans", and it requires them to undergo both internal and external network scans.  And for initial PCI DSS compliance, four (4) passing quarterly scans is NOT required, but it is a strict requirement thereafter.  Additionally, scans are to be conducted by an Approved Scanning Vendor, known as an ASV, which is an organization ultimately approved by the Payment Card Industry Security Standards Council (PCI SSC) for conducting scans. Lastly – and this is important to note – internal and external scans are to be performed after any "significant" changes. What is "significant" – that's a question to discuss with a PCI-QSA, such as me, so give me a call if you have any questions at 1-800-277-5415, ext. 706.

4. Penetration Testing – PCI compliance requirements also include penetration testing, which is detailed in Requirement 11 of the actual Payment Card Industry Data Security Standards. In short, organizations will need to conduct a comprehensive pen test, which includes both external and internal tests, both from a network layer and application layer perspective.

5. Report on Compliance – If it’s an onsite assessment that’s required for your organization, then you’ll need to contact a Payment Card Industry Qualified Security Assessor (PCI-QSA), such as myself (Charles Denyer | 1-800-277-5415, ext. 706 | cdenyer@ndbcpa.com).  The end deliverable for an onsite assessment is known as the Report on Compliance, or “RoC” as it’s called in the industry.

6. SAQ vs. Onsite Assessments – The vast majority of merchants and service providers can meet PCI compliance via the self-assessment process, which essentially means completing a “Self-Assessment Questionnaire” and the accompanying Attestation of Compliance (AoC). However, a small, but growing number of organizations still require onsite assessments by an actual PCI-QSA.  The SAQ vs. Onsite Assessments are apples vs. oranges – very different in many ways – with costs being one of the most important to note.

7. If you process, store or transmit cardholder data, you’re in scope for PCI compliance – It’s really that simple and clear-cut. If you are involved in working with cardholder data in any way, then PCI compliance will surely be something to discuss amongst your organization.  Not only is non-compliance not a good idea, but your customers and other entities are starting to demand it now, more than ever before.  And this holds true especially for service providers, who are now being required to undertake compliance via SAQ D, or with an actual onsite assessment by a Payment Card Industry Qualified Security Assessor (PCI-QSA), such as Charles Denyer of NDB Advisory (cdenyer@ndbcpa.com | 1-800-277-5415, ext. 706).

8. PCI is a moving target – Forget about the "one and done" notion – compliance with the PCI DSS provisions requires a constant commitment, so just remember that.

PCI Compliance Atlanta GA | QSA Onsite Assessments, Audits, Consulting | Fixed Fees

As a trusted PCI compliance advisor to Atlanta, GA businesses, NDB Advisory provides QSA onsite assessments, audits, and consulting services to both merchants and service providers, along with any organizations involved in processing, storage, and transmission of cardholder data.  It’s a PCI world out there – and that’s putting it lightly – as almost every type of business is being highly affected by the Payment Card Industry Data Security Standards (PCI DSS) provisions.  From Level 1 onsite assessments to specialized consulting for Self-Assessment Questionnaire (SAQ) compliance, NDB and the trusted team of PCI compliance experts led by PCI-QSA Charles Denyer can help Atlanta business get compliant, stay compliant, all in an efficient and transparent manner.

As for NDB Advisory’s PCI DSS compliance services for Atlanta, GA, they include the following:

  • PCI DSS Readiness Assessments and Gap Analysis findings.
  • Level 1 onsite assessments performed by Payment Card Industry Qualified Security Assessors (PCI-QSA).
  • Remediation (both operational and technical).
  • Policy and procedure writing services for the numerous documents required to be in place for PCI DSS compliance.
  • Penetration Testing (both network and application layer).
  • Vulnerability Assessments (both internal and external).
  • Strategy and consulting services for all other related PCI DSS issues.

In summary, NDB Advisory’s Atlanta, GA PCI DSS compliance services include much more than just assessments – we provide a comprehensive set of solutions for today’s complex and demanding Georgia businesses. Give PCI-QSA Charles Denyer a call at 1-800-277-5415, ext. 706, or email him directly at cdenyer@ndbcpa.com.  

PCI Qualified Security Assessor | PCI QSA | Call NDB Advisory

Looking for a PCI Qaulified Security Assessor (QSA) who is cost-effective, has years of experience in performing these types of audits and can assist your organizatin with all your PCI DSS needs? If so, then contact NDB Advisory, a nationally recognized boutique QSA firm specializing in PCI DSS assessments.

NDB Advisory offers a comprehensive, cost-effective and workable approach for meeting compliance with the Payment Card Industry Data Security Standards provisions. A structured PCI DSS Roadmap for compliance is undertaken for ensuring your organization is fully aware of the scope of the assessment along with the time, efforts and internal commitments required by you.

NDB Advisory has conducted PCI DSS assessments for a large range of companies. Additionaly, we have also worked with a number of smaller organizations who only have to "self assess" against the PCI DSS standards, but still needed the expert advice of a Qualified Security Assessor (QSA).

Additionally, you can email me directly at cdenyer@ndbcpa.com with any questions you may have regarding Payment Card Industry Data Security Standards (PCI DSS) compliance, and I will be more than happy to assist you in any way I can.

Good luck on PCI compliance.

PCI DSS | Industry Terminology you Should Know

If you are a merchant or service provider and the Payment Card Industry Data Security Standards (PCI DSS) provisions are being required for your organization, then take some time to learn about industry terminology that will ultimately give you a better grasp of the who, what, where and why of PCI DSS compliance.

  • Cardholder: This is the customer purchasing goods either as a "card present" or "card not present" transaction. The customer is the individual who receives the payment card and bills from the issuer.
  • Issuer: Bank or other organization issuing a payment card on behalf of a Payment brand., such as MasterCard and Visa.  Additionally, some payment brands issue cards DIRECTLY, such as American Express, Discover Card and JCB.
  • Merchant: The organization accepting the payment card for payment during a purchase.
  • Acquirer: This is the bank or entity that the merchants uses to process their payment card transactions.  They essentially receive the authorization request from the merchant and forwards it to the issuer for approval. The acquirer also provides authorization, clearing and settlement services to merchants. Lastly, the acquirer is also called a merchant bank, ISO, a payment brand (AMEX, Discover, JCB), but NEVER Visa or MasterCard.

To learn more about the Payment Card Industry Data Security Standards (PCI DSS) provisions, visit the official PCI DSS Resource Guide

Requirements of Service Provider | PCI DSS Service Provider Levels

Requirements of Service Providers for Payment Card Industry Data Security Standards (PCI DSS) compliance are as follows:

VISA (Levels 1 to 3):

  • Annual onsite review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: SAQ required and must be reviewed by QSA)

American Express (AMEX):

  • Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
  • Quarterly network scan by ASV


Quarterly network scans by ASV AND one of the following:

  • Annual on-site review by QSA (or internal auditor if signed by officer of Service Provider)
  • Annual self-assessment questionnaire


  • TPP validation requirements will be outlined in forthcoming JCB rules and regulations.


  • Level 1 SP's: Annual on-site review by QSA AND Quarterly network scan by ASV
  • Level 2 SP's: Annual self-assessment questionnaire AND Quarterly network scan.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit the official PCI DSS Resource Guide.

PCI DSS Compliance Roadmap | What You Need to Know

A PCI DSS Compliance Roadmap should consist of a number of predefined phases for helping ensure your organization (be it a merchant or a service provider) is able to become PCI DSS compliant in an efficient and cost-effective manner.

With that said, listed below are the three main phases that encompass your PCI DSS Compliance Roadmap:

  • Phase I: PCI DSS Readiness Assessment
  • Phase II: Remediation & Implementation for PCI DSS
  • Phase III: Assessment & Reporting for PCI DSS

To learn more about these three (3) phases, visit pciassessment.org, an informative and in-depth website developed by a leading Payment Card Industry Data Security Standards (PCI DSS) consulting firm, NDB Advisory.

Generally speaking, this roadmap is for Level I Merchants and Service Providers who have to undergo and actual on-site assessment by a PCI Qualified Security Assessor (QSA) as approved by the Payment Card Industry Security Standards Council (PCI SSC).

Author: Charles Denyer