PCI DSS certification stands for Payment Card Industry Data Security Standard. PCI Data Security Standard has been established by the top five credit card issuing companies, MasterCard, Visa, American Express, Discover and Japanese Credit Bureau, who took their individual security standards for online transactions and merged them into one, establishing the PCI Data Security Council. at the same time. The Council is a self-regulatory body which updates the PCI DSS requirements from time to time, trains companies and issues training certificates for companies who then act as PCI Audit executors, and PCI Qualified Security Assessors QSA.
As the online threats multiply in the direction of where the money is (online), the original 12 rules of PCI DSS compliance has evolved and today, as some affected merchants like to say, the 12 rules have over 200 sub-rules that are difficult to interpret, and correspondingly difficult to fulfill. It likely involves annual reporting by a qualified assessor, QSA, and quarterly scanning of outward-looking internet connections by an ASV, Approved Scanning Vendor. Both of which translate to additional costs to the merchant who must undertake the PCI Data Security Standard certification compliance.
So if you are a merchant processing online or point of sale transactions using credit and debit cards, the question comes up, is it mandatory to perform a PCI compliance audit and a PCI scan through third parties?
We’ll point out here the two possible routes for a merchant to avoid costly third party PCI DSS audits and PCI scans and still be PCI compliant. They are: Have fewer than 20,000 payment card transactions in a year, and, Get someone from the company PCI DSS Audit qualified, have them become an ISA, Internal Security Assessor. We will talk about the current PCI DSS 2.0 version.
Have fewer than 20,000 payment card transactions per year
If you are relatively small merchant with fewer than 20,000 transactions in a year, you will be able to fulfill the security requirements by doing an internal security audit and simply fill out a Self-Assessment Questionnaire. There are several types of questionnaires. You can work with your “acquirer”, or the bank through which you are processing your payment card payments to determine which questionnaire is right for you and what are the deadlines for submitting them.
Have someone from within your company PCI DSS Audit qualified
On the opposite end of the spectrum, if you are a large merchant, or a large online service organization, and you have more than 20,000 transactions per year, you can avoid hiring a third party PCI DSS Qualified Security Assessor by simply sending one of your IT professionals to one of the PCI DSS standard compliance seminars to become qualified as an Internal Security Assessor, thereby removing the need for external PCI Audits. The PCI data security standard checklist audits can from now on be done in house by an ISA. ISAs must be re-certified every year, and the company can now perform their own security audits and still remain PCI compliant.