PCI Compliance: What it means and how it’s evaluated

Posted: March, 24, 2021 9:46AM ET • 2 min read

Hand holding a credit card being tapped on a contactless credit card reader

Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is mandated by credit card companies to safeguard cardholder information against theft and misuse. “PCI Compliance,” as it is generally known, refers to the technical and operational standards merchants must meet in order to adequately mitigate data breaches and deter fraudulent use of cardholder information.

Applicability

PCI compliance is not always itself a requirement enforceable by law, however all major credit card issuers require adherence to the standards for liability purposes, and many jurisdictions have crafted their own data-protection laws either referencing PCI requirements or aligning them with those standards.

Some credit issuers, like Visa, exempt merchants from annual PCI compliance evaluations if they take alternative precautions against fraud with equal or greater safeguards, such as EMV or point-to-point encryption.

Validation of Compliance

The Payment Card Industry Data Security Standard (PCI DSS) has six major objectives supported by 12 key requirements. These, in turn, comprise 78 base requirements and are evaluated by over 400 test procedures. The rigorous evaluation process is conducted by the following entities:

Qualified Security Assessor (QSA)

QSAs are independent individuals who have met the PCI DSS’s requirements to conduct appraisals, and who bear a certificate from the PCI SSC to that effect.

Internal Security Assessor (ISA)

An ISA is an individual certified by the PCI SSC to perform PCI self-assessments on behalf of their sponsoring organization. This certification empowers the individuals to not only perform internal appraisals of the organization’s compliance, but to recommend further security solutions and controls to achieve or retain PCI compliance. Part of their responsibility is to liaise with QSAs and assist with their investigations as needed. 

Report on Compliance (ROC)

The ROC is completed by all PCI Level 1 merchants to confirm that their policies, strategies, approaches, and workflows have been appropriately developed and implemented to protect cardholder data against fraudulent transactions.

Self-Assessment Questionnaire (SAQ)

What SAQs a merchant is expected to complete will depend on the number and type of transactions they process in a year, however the goal remains the same: to attest to the merchant’s processing bank that they are aware of the requirements and are abiding by them. Questions answered with a “No” will be highlighted for future implementation.

Share Article:

Featured Articles



 
 

ABOUT THE AUTHOR

Headshot of Joe Ritacca, Director of Research and Development, Precise ParkLink

Joe Ritacca
Vice President, IT and Research & Development

As Vice President of Precise ParkLink’s Research and Development department and as the head of Precise ParkLink’s Project Management Office, Joe leads a team of systems engineers and software developers, guiding the development of creative solutions. The innovations and integrations he and his team develop let Precise ParkLink offer something truly unique in the Canadian marketplace — a fully turnkey parking technology and management solution. Having studied business administration and computer science at Ryerson University, and with over 25 years of parking industry experience, Joe is ideally suited to his role building teams that can conceptualize solutions and drive change on clients’ behalf.

 

Questions?

Fill out the form below and we will do our best to connect you with a suitable contact.

Previous
Previous

A Guide to PCI Compliance Levels

Next
Next

PCI-DSS Objectives and Requirements