What You Need to Know About Compliance Validation
By Greg Johnson, PCIP – CEO, Webcheck Security
Since 2006 I have been privileged, through various roles and in good companies, to counsel with and advise service providers and merchants alike in regard to PCI compliance. This article is to clear the fog and lay out the facts for you as a service provider so your validation requirements are clear.
First, let’s define what I mean when I say “service provider.” This is a blanket term which can encompass Independent Software Vendors or ISV’s, payment gateways, payment facilitators, vertical market Software-as-a-Service (SaaS) applications which as a value add or main function, offer card payment processing.
A classic example of this is QuickBooks. Quickbooks is really all about accounting, but in later years added (and wonderfully so) the ability to invoice and accept payments. An example of a vertical value-add application is foreUP golf course and club management software. ForeUP has, as its core function, the management of the course and pro shops, but accesses payment partners such as Worldpay and others in its software to facilitate payments.
I could probably list thousands of examples from text messaging apps to dental office management systems to sports applications – some of which may not touch the card data due to redirects or other methods – but all of which have a PCI validation responsibility.
Concept #1 – Over or Under 300,000 Transactions
There are two main ways to validate your compliance: Self-Assessment Questionnaire (SAQ) or Qualified Security Assessor (QSA) audit. Simply, if you as a service provider store, process, or even transmit (transmit=card data traverses even a piece of your infrastructure) over 300,000 transactions per year, then you will be on Visa’s radar. With this, as enforced through your processing partner, and must hire a QSA firm to perform and pass a Level 1 Service Provider PCI Audit. (See https://usa.visa.com/dam/VCOM/download/merchants/data-security-compliane-service-providers.pdf)
Concept #2 – Do You Want to be On The List?
Visa maintains a global registry of service providers which all service providers can register for and appear on once they can pass the PCI audit from a QSA and produce a Report on Compliance(ROC). (See https://usa.visa.com/splisting/splistingindex.html) Level 2 service providers, or those facilitating or processing less than 300,000 transactions per year, can choose to get on the list for business or sales enablement purposes. They must be prepared to spend the money required to prepare for, pass a level 1 audit and pay the registration fee. Typical QSA audits will range from $17k to $25k depending on size, scope and locations, and the Visa fee changes from time to time but has traditionally been $10k.
Concept #3 – SAQ D – Service Providers
Most of you reading this article as service providers will fall in the level 2 or self-assessment category. You may not care to be listed on the Visa Global Registry, you just want to demonstrate your compliance because you’ve been asked by clients, partners, and most importantly, your processor or acquiring bank (also known as acquirers).
There’s a good news/bad news component here. The good news? You get to self-assess! The bad news, there is only one option for service providers, and that is the SAQ D – Service Providers, or the self-assessment questionnaire for service providers. This questionnaire represents the full PCI DSS controls and can take some time to comply. Even if your technology redirects or uses an online end-to-end encryption, etc., you must still use this SAQ.
Now there is another element of good news here however for SAQ D – Service Providers folk, and that is that if you are redirecting or using cardholder data environment scope-reducing technologies, you may be able to answer some of the questions as “NA” if you have an adequate description of why.
Let’s Be Clear – Proof
To be clear about demonstration of validation however, even if you are in the self-assessing category, the hard reality is you will find it hard to educate some clients and partners without solid third-party validation proof.
"Most aquirers will require that you demonstrate a passing annual penetration test and that you are enrolled in an ASV-approved vulnerability scanning program and are passing your scans."
For that reason, most aquirers (your payment partners) will require that you demonstrate a passing annual penetration test and that you are enrolled in an ASV-approved vulnerability scanning program and are passing your scans (services provided by Webcheck Security). Pen tests and scans aren’t nearly as costly as the full PCI audits for small service providers, and can be performed, remediated and passed with relative ease.
Indeed, the SAQ D requires quarterly scanning and annual penetration testing anyway. (Requirements 11.2 and 11.3) A service provider may say, “Well we don’t process the card data – we call the processor’s gateway and their form presents directly to the merchant or user, and the card data never touches or network or cloud….” You’ll still find it hard still to make that argument without security validation by a third party (scanning and pen testing).
A final word on security best practices is that even if the scenario above is true, meaning your payment facilitation doesn’t touch the card data, please remember that servers and processes can still be hijacked, compromised, redirected etc., so why not just put all doubt to rest and present inquiring parties with your scan and test attestations? You will facilitate business and demonstrate your compliance.
If you are a service provider doing over 300,000 transactions per year, you’ll need a Level 1 Service Provider Assessment performed by a Qualified Security Assessor. If you’re Level 2, which is everything under 300,000 transactions, you may self-assess using the SAQ D – Service Providers, but you will still be required to demonstrate an annual penetration test and quarterly scanning, along with passing SAQ. Finally, Level 2 Service Providers can elect to be seen on the Visa Global Registry of Service Providers, but to do so they will have to pass a Level 1 Assessment.