Understanding and complying with PCI DSS is not just about meeting regulatory requirements; it's also about protecting your business and customers from threats and preventing data breaches and fraud.
This is Part II of our PCI SAQs Explained guide. To check out Part I, click here!
In the first part of our PC SAQs guide, we covered a series of frequently asked questions like:
- What Is PCI SAQ?
- Why Are PCI SAQs Required?
- Which PCI SAQ Do I need?
- How Do I Determine The Right SAQ For My Business?
In the second part of our guide, we’ll cover additional PCI-DSS requirements to help you keep your business compliant.
Let’s start by assessing another frequently asked question:
What Is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
PCI DSS was developed by the Payment Card Industry Security Standards Council (PCI SSC). Meeting compliance with PCI DSS is essential to protect sensitive cardholder information, mitigate data breach risk, and maintain customer trust.
The Role Of PCI DSS In Ensuring Business Compliance
Understanding and complying with PCI DSS is not just about meeting regulatory requirements; it’s also about protecting your business and customers from threats and preventing data breaches and fraud.
In Part I, we discussed how PCI SAQs help merchants self-assess their compliance based on their business model and payment processing methods. However, self-assessment is just one part of the PCI DSS compliance process. To ensure thorough and ongoing security, businesses must also engage with other critical components like ASV Scans, QSAs, and specific considerations for MOTO merchants.
Let’s dive into each.
ASV Scan (Approved Scanning Vendor Scan)
An ASV Scan is a quarterly external vulnerability scan required for most merchants and service providers. It’s performed by a PCI SSC-certified vendor to ensure that external IP addresses handling credit card data are secure from known threats. These scans are essential for PCI DSS compliance.
Key Points:
- Frequency: Conducted quarterly and after significant changes to the external network.
- Objective: Identifies vulnerabilities that attackers could exploit to access cardholder data.
- Requirement: Must be performed by a PCI SSC-approved vendor — Approved Scanning Vendor (ASVs) –, a certified professional that can conduct external vulnerability scans as part of PCI DSS compliance. They must adhere to strict standards and guidelines set by the PCI SSC.
Roles of ASVs:
- Conduct Scans: Perform required external vulnerability scans.
- Report Findings: Provide detailed reports on vulnerabilities with guidance for remediation.
- Validate Compliance: Confirm security improvements and validate compliance post-remediation.
Examples of ASVs: Companies like Qualys, Trustwave, and SecureWorks.
QSA (Qualified Security Assessor)
A QSA is a professional certified by the PCI SSC to assist organizations in assessing their compliance with PCI DSS standards. They are employed by certified companies known as QSA Companies.
Key Roles of QSAs:
- Assessment: Perform on-site PCI DSS assessments.
- Consulting: Offer expert advice on maintaining compliance.
- Validation: Validate compliance efforts and submit reports to relevant parties.
MOTO (Mail Order, Telephone Order) Merchants
MOTO merchants conduct sales via mail orders or telephone orders without any face-to-face customer interaction. They use virtual terminals accessed via a web-based application hosted by a third party to enter payment card data on behalf of the customer.
Payment Processing:
- The merchant’s operators enter payment data received over the phone or via mail into the virtual terminal.
- The terminal itself is hosted on secure servers by a third-party service provider.
- No electronic storage of cardholder data is allowed on the merchant’s systems. After entering the data into the virtual terminal, it is processed and stored securely by the third-party provider.
Keep Your Business Compliant With CommerceGate
CommerceGate is your global payment partner and holds a PCI DSS Level 1 Certification for customer and card data.
