Frequently Asked Questions
Why am I required to have an onsite assessment by a Qualified Security Assessor (QSA)?
As a merchant, there are two reasons you would be required to have a QSA perform an onsite assessment of your cardholder data environment:
1. You are a Level 1 or Level 2 Merchant. To determine your merchant level, you must know the quantity of transactions you handle annually. Each card brand has a slightly different set of numbers used to determine merchant levels. You may wish to ask your acquiring bank representative to help you determine your merchant level.
2. Your Acquiring Bank has determined that due to certain increased risk factors (such as a data compromise in the past) your company must be assessed by a QSA.
Can I complete the Self-Assessment Questionnaire (SAQ) and avoid a QSA assessment?
If you are a level 3 or 4 merchant, you may be able to simply complete the SAQ. However, if you fit into one of the categories listed above, you will be required to validate your compliance through an onsite assessment by a Qualified Security Assessor (QSA).
Who determines merchant levels and how do I find my level?
Merchant level classifications are determined by the individual card brands.
Please see the following links to find information on determining your level:
Visa
Mastercard
American Express
Discover
What are the fines and penalties assessed to companies for non-compliance with the PCI DSS?
Any fines and/or penalties associated with non-compliance with the PCI DSS are usually levied by your acquiring bank. For additional details regarding PCI DSS compliance fines and deadlines please phone the number found on your merchant statement.
What is the difference between compliance and validation?
Compliance simply means adhering to the standards of the PCI-DSS. Validation of that compliance is the established process implemented to prove one's compliance. This can mean validation through self-assessment or validation through an onsite assessment with a QSA.
How is a QSA qualified to validate my compliance?
Qualified Security Assessors are required to have a minimum of five years of security experience and pass one of the following industry-standard examinations—CISSP,CISA,CISM. During your assessment, you will demonstrate how you comply with each of the PCI-DSS requirements and your QSA will validate in writing your compliance to the standards.
How can I prepare to ensure I receive a passing Report-on-Compliance (ROC)?
SecurityMetrics provides consultation and full gap analysis for their customers prior to an assessment. Contact a professional PCI Consultant at 801-705-5656 to learn more about this service.
How long does it take to receive the completed Report-on-Compliance (ROC)?
The time required depends on the complexity of your cardholder data environment and whether or not you have completed a previous assessment. For a general overview of the time and steps involved, please reference the following page.
Where do I find the PCI-DSS v1.2?
Click here to view the latest document. Additional information and supporting documents can be found at www.pcisecuritystandards.org
As a merchant, there are two reasons you would be required to have a QSA perform an onsite assessment of your cardholder data environment:
1. You are a Level 1 or Level 2 Merchant. To determine your merchant level, you must know the quantity of transactions you handle annually. Each card brand has a slightly different set of numbers used to determine merchant levels. You may wish to ask your acquiring bank representative to help you determine your merchant level.
2. Your Acquiring Bank has determined that due to certain increased risk factors (such as a data compromise in the past) your company must be assessed by a QSA.
Can I complete the Self-Assessment Questionnaire (SAQ) and avoid a QSA assessment?
If you are a level 3 or 4 merchant, you may be able to simply complete the SAQ. However, if you fit into one of the categories listed above, you will be required to validate your compliance through an onsite assessment by a Qualified Security Assessor (QSA).
Who determines merchant levels and how do I find my level?
Merchant level classifications are determined by the individual card brands.
Please see the following links to find information on determining your level:
Visa
Mastercard
American Express
Discover
What are the fines and penalties assessed to companies for non-compliance with the PCI DSS?
Any fines and/or penalties associated with non-compliance with the PCI DSS are usually levied by your acquiring bank. For additional details regarding PCI DSS compliance fines and deadlines please phone the number found on your merchant statement.
What is the difference between compliance and validation?
Compliance simply means adhering to the standards of the PCI-DSS. Validation of that compliance is the established process implemented to prove one's compliance. This can mean validation through self-assessment or validation through an onsite assessment with a QSA.
How is a QSA qualified to validate my compliance?
Qualified Security Assessors are required to have a minimum of five years of security experience and pass one of the following industry-standard examinations—CISSP,CISA,CISM. During your assessment, you will demonstrate how you comply with each of the PCI-DSS requirements and your QSA will validate in writing your compliance to the standards.
How can I prepare to ensure I receive a passing Report-on-Compliance (ROC)?
SecurityMetrics provides consultation and full gap analysis for their customers prior to an assessment. Contact a professional PCI Consultant at 801-705-5656 to learn more about this service.
How long does it take to receive the completed Report-on-Compliance (ROC)?
The time required depends on the complexity of your cardholder data environment and whether or not you have completed a previous assessment. For a general overview of the time and steps involved, please reference the following page.
Where do I find the PCI-DSS v1.2?
Click here to view the latest document. Additional information and supporting documents can be found at www.pcisecuritystandards.org