For a better understanding of PCI DSS Merchant levels and to know how it affects your compliance efforts, we conducted a very informative webinar that works as a comprehensive guide for merchants.
The informative webinar also provides details on applicable PCI SAQ for small merchants and service providers who are not required to submit a compliance report, but rather use the Self-Assessment Questionnaire (SAQ) which is designed as a self-validation tool to assess security for cardholder data.
2. Webinar Objective
Briefly understand the PCI DSS Compliance Requirements.
Learn about the different Merchant levels of Compliance & Service
Provider levels of Compliance.
Understand what is an SAQ and to which Merchant is a specific type of
SAQ applicable.
Learn what is an AoC and RoC and understand their importance in PCI
DSS Compliance.
3. Topic Covered in the Webinar
A Quick Introduction to PCI DSS
PCI DSS Validation Requirements
PCI Merchant and Service Provider Levels.
What are SAQs, what is applicable to whom?
What is RoC?
What is AoC?
4. Gain CPE Points Attending
the Webinar!
•Attend the entire session of the Webinar and gain
Continued Professional Education points.
•It can be used for various certification such as
CISA, CISSP, CRISC, CISM, PCI QSA, etc.
5. Free Informative Resources
•Subscribe to our YouTube channel: https://www.youtube.com/c/vistainfosecofficial
•Get access to free informative videos on
•PCI DSS
•HIPAA
•GDPR
•SOC1 & SOC2
•Ethical Hacking
6. •PCI DSS - Managing your outsourced vendor.
•Log Management and reporting for the PCI environment.
•Best practices in Ecommerce security.
•PCI DSS and the Cloud – Top risks and Mitigations
•Wireless in the PCI environment – Top risks and Mitigations
•PCI DSS in the virtualized environment – Top risks and Mitigations
•Targeted attacks: Spear Phishing and Social Engineering.
•PCI DSS Scoping and Segmentation.
Past Webinars
7. •Managing Data Leakage in your PCI environment.
•Strategies for migration from early TLS and SSL.
•Using PCI DSS for GDPR Compliance
•Using ISO27001 for PCI DSS
•SOC2 and YOU
•GDPR – Are you ready
•SOC2 – Beyond the myth
•GDPR – Steps to a successful DPIA
Past Webinars
8. •Block chain – A crash course – What is it, potential uses and pitfalls
•Tackling Security in the Cloud: CASB to the rescue
•HIPAA – Basics and Beyond…
•Using SOC2 for HIPAA Compliance
•Developing a Cyber Security framework using NIST
•SOC for Cyber Security
•Rights of Data Subjects – GDPR and PDPA
Past Webinars
9. •SOC2 Compliance and the Cloud
•Debunking Top 10 myths of PCI DSS
•Achieving PCI DSS in 90 days
•FDA CFR Part 11 – What’s the hype all about
•Achieving SOC2 Compliance in 90 days – Is it possible?
•Step by step approach to PDPA compliance
•7 steps for Compliance with NIST 800-171 compliance
Past Webinars
10. •PCI DSS - 5 Simple Techniques to reduce scope
•SOC2 and CCM
•In talks with Nitin Bhatnagar (PCI Council) - Meeting Payment Security
Needs Now and for the Future
•Covid-19 and Business Continuity
•PA DSS and PCI SSF – How they match up and how they map
•PCI PIN, PCI Cryptography & Key Management
Past Webinars
11. Past Webinars
•NESA – How it matters to you
•SOC 2 and GDPR - How to integrate in one audit process
•GDPR & CCPA - Is your organization ready to synchronize
•MAS TRM - Managing the compliance process
•CPRA and CCPA – implications for your business
Four year Anniversary
Four years to the day
12. As We Go Along
•Do type in your queries in the query box and I will
answer as much as possible during the webinar. If
due to time constraints, I will surely write directly
to you.
•Feel free to share a topic of your interest that
you would like to learn more about from our
team ( Information Security- Compliance,
Regulatory Standards, Risk Assessment
Services related topic).
14. About Me
NARENDRASAHOO
Designation
Founder & Director of
VISTA InfoSec
Certifications-
PCI QPA, PCI QSA, CISSP,CISA, CRISC,
ISO27001 LA Industry Experience-25 Years
Mr. Sahoo carries over 25 years of experience in the IT industry, out of which the last 15 years has been
dedicated to VISTA InfoSec. His professional qualifications includes PCI QSA, CISA, CISSP, CRISC, ISO 27001
Lead Assessor. Starting off as an assembly language programmer, with the advent of networking and the
Internet in India, he moved on into networking and IT management of which InfoSec was a natural
progression.
A very well versed professional with proficiency in globally recognized standards such as ISO27001, PCI DSS,
ITIL/ISO 20000, COBIT and many international regulations such as HIPAA, CSV, SOX, SSAE16, SOC, etc.,
Mr. Sahoo has conducted IT consulting and assessments for large Banks, Software development
organizations, Banks, Research & Development companies and BPOs in India and overseas. Well versed with
strategy development and an astute Technical background, he has audited, designed and strategized for a
wide variety of Information security and networking technologies. He has provided consulting services for
premier organizations such as Tata Group, Shell Oil, Cipla, numerous payment processing organizations and a
host of banks including the Reserve Bank of India and the Indian armed forces.He has recently been awarded
the “Crest of Honor” by the Indian Navy for his contributions. He was inducted into the CSI – Hall of Fame for
his significant contributions to the fraternity.
Sectors: Worked in all vertical ranging from Government/PSU, BFSI, Pharma, Manufacturing, ITES etc.
19. Survey Participation Request
We Value Your Feedback
Request you to complete our brief survey at the end of the webinar
and leave your valuable comments.
Your Answer will allow us to meet your expectations better.
20. PCI History
Late 90’s - Visa recognized a need to protect Card Data to prevent theft
June, 2001 – Visa mandated rules to protect Card Data
Later the other card associations followed Visa’s lead with their own programs
The Four Programs Were Called:
Visa: CISP – Cardholder Information Security Program
MasterCard: SDP – Site Data Protection
American Express: DSOP - Data Security Operating Policy
Discover: DISC - Discover Information Security & Compliance
21. PCI History
Once there were four programs
Confusion ensued
There were now four sets of rules, guidelines,
penalties and fines
23. PCI History
The creation of a standards organization named Payment Card Industry
Security Standards Council
Also Known As: PCI
The founding members were the five major card brands:
American Express
MasterCard
Discover
Visa
JCB (Japan Credit Bureau)
Primarily seen in Hawaii, California and other major T & E Markets in
the USA
24. History in brief
Visa, MasterCard, American Express, Discover and JCB decided to standardize
on a common set of data security requirements for merchants and data
processors – the PCI Data Security Standard (PCI DSS)
PCI Security Standards Council was formed in 2004 as an independent
organization in order to maintain and promote the PCI DSS
Version 1.0 of the PCI DSS was published in January 2005
Version 1.1 published in September 2006
Version 1.2 released October 2008
Latest version… 3.1.2
25. PCI History
Not The Perfect Solution
The Good News
The security guidelines have been consolidated under a single entity –
PCI DSS: Data Security Standard
Your Compliance and IT staff will appreciate this
The Bad News
Due to federal restraint of trade laws, the card brands can not collude on
the rules, penalties and fines
So we must still please multiple masters
For the most part, Visa’s rules are the most restrictive and therefore are
used as the bellweather guideline
29. Terminology
BANK
1234 5678 0123 4567
VALID 01/25
C R ED IT C AR D
Payment Brand Network
Authorization
Issuer
Cardholder Merchant
Acquirer
Clearing
Issuer and Acquirer exchange
purchase and reconciliation information
Settlement
Issuer pays Acquirer
Merchant receiver payment
Cardholder gets charged
Merchant requests and receives
authorisation
30. More Terminologies
Issuer
BANK
1234 5678 0123 4567
VALID 01/25
C R ED IT C AR D
Cardholder Merchant
Acquirer
Acquirer is also called:
Merchant Bank
ISO (sometimes)
Payment Brand - Amex, Discover, JCB
Never Visa or MasterCard
Customer purchasing goods either as a
“card Present” or “Card Not Present”
transaction
Receiver the payment card and bills
from the issuer
Bank or other organization issuing a
payment card on behalf of a Payment
Brand (e.g. MasterCard & Visa)
Payment Brand issuing a payment card
directly (e.g. Amex, Discover, JCB)
Organization accepting the payment card for payment
during a purchase
Bank or entity the merchant uses to process their
payment card transactions
Receive authorization request from merchant and
forward to issuer for approval
Provide authorization, clearing and settlement
services to merchants
31. Authorisation
1
Cardholder
presents card
Acquirer asks
payment brand to
determine issuer
Payment brand network
determines issuer and
requests approval
Issue approves
purchase
Acquirer sends
approval to merchant
Payment brand network
sends approval to acquirer
2 3 4
5
6
7
Cardholder completes
purchase and receives
receipt
Merchant requests and receives authorization from the issuer to allow the purchase to be conducted
Authorization Code is provided
32. Clearing
Payment brand network
sends purchase information
to issuer
Issuer prepares
data for cardholder
statement
Payment brand network
provide complete
reconciliation to acquirer
Acquirer sends purchase
information to the
paymentbrand network
1
Acquirer and issuer exchange purchase information
2
3
33. Settlement
Acquirer pays merchant for
cardholder purchase
3
Issuer bills cardholder
Issuer sends payment to
acquirer
2 4
1
Issuer determines acquirer
via the payment brand
network
Acquirer pays merchant for cardholder pruchase
Issuer bills cardholder
34. Service Providers
A service provider is a business that is not a
payment brand, directly involved in the
processing, storage or transmission of
cardholder data on behalf of another entity.
sometimes a service provider is a merchant
Includes companies that provide services
(to merchants, service providers or
other entities) which control or could impact
the security of cardholder data.
37. PCI DSS Merchant Levels
Merchant dealing with card payments through any channel, whether at the
point of sale (POS), over the phone, or through e-commerce, are required to
comply with the PCI DSS Standards.
However, there are four levels of PCI compliance based on which businesses
need to meet the necessary requirements to remain compliant.
Since, not all business process the same amount of card payments annually
and each has a different level of risk to incidents of data breaches and security,
the PCI SSC established four PCI compliance levels that are determines the
merchant level.
38. Levels of PCI Compliance is classified based on the annual number of credit or
debit card transactions a business processes. The classification levels are
determined as given below-
PCI DSS Merchant Levels
40. Service providers are third-party vendors who assist merchants with the
storage, processing, or transmission of cardholder data. This way, they too are
required comply with PCI DSS.
PCI compliance is also applicable to those vendors who provide services and
their controls have an impact on the security of cardholder data directly or
indirectly in some way.
So, similar to merchants, PCI Compliance to Service Providers are also
determined based on their compliance levels.
The compliance levels are based on the number of transactions they perform
per year. There are only two levels of PCI compliance for service providers.
Compliance Levels and Requirements
for Service Providers
42. As the name suggests, PCI Self-Assessment Questionnaire is a self validation
tool that assess the security of the cardholder data.
It basically documents the merchant’s or service provider’s security practices
concerning the cardholder data.
It is a tool meant for small merchants and service providers who are not
required to submit a report of PCI DSS Compliance.
The Self-Assessment Questionnaire includes a series of yes-or-no questions
for each applicable PCI DSS Standard requirement.
If the answer is no, the merchants is required to provide future remediation
date and associated plan of actions.
Self Assessment Questionnaire
43. Self Assessment Questionnaire
Every merchant environment has a different set of SAQ that describes how
they accept payment cards.
There are 9 different SAQs a merchant needs to select from depending on
how they process, handle and store cardholder data.
The questionnaire determines which PCI DSS compliance requirements apply to
merchants and how their current systems align with the security requirements.
Each of the SAQ types have different goals, and depending on what best
applies to the merchants they can obtain an AoC.
44. The SAQ document comprises of two components which includes –
A set of questions corresponding to the PCI Data Security Standard
requirements designed for Service Providers and Merchants.
An Attestation of Compliance or certification that you are eligible to
perform and have performed the appropriate Self-Assessment. The
document of Attestation of Compliance will be provided the QSA.
Self Assessment Questionnaire
48. Report on Compliance is a PCI DSS requirement for all merchants who fall
in the Visa and or MasterCard level 1 scope.
Level 1 Merchants are those who process over 6 million Visa and/or
MasterCard transaction a year.
It is a document issued by the PCI Qualified Security Assessor after a PCI DSS
Assessment detailing a Merchants security posture and the current security
state of the environment in which they are operational.
The Assessment includes both an onsite audit and review of controls after
which the findings are documented in the final draft of RoC.
The form is then submitted to the Merchant's Acquiring Bank for acceptance.
Once the Merchant's Acquiring Bank accepts the RoC, it then sends the
document to Visa/MasterCard for Compliance verification.
Report on Compliance Documents
49. Similar to RoC, and SAQ, the requirement of AoC depends on the level of
merchants compliance.
PCI Attestation of Compliance (AoC) is a document that declares the
merchants status of Compliance with PCI DSS Standard.
It is a documented evidence for Merchants and/or Service Providers to
show their clients and other stakeholders their adoption of best practices
for securing cardholder data.
The document is a written statement that states that the Merchant has
dully completed the applicable SAQ and has been verified by Qualified
Security Assessor.
Attestation of Compliance
50. Achieving and maintaining PCI Compliance is the best way to protect
business against cyber attacks.
For achieving PCI DSS Compliance, Merchants and Service Providers must
first determine Compliance level they fall into.
The levels determines the amount of assessment and security validation
required for clearing PCI DSS Assessment.
Merchants/Service providers at every level must be sure of following the
right PCI requirements for their particular levels.
Key Takeaway
51. Once the Compliance levels are determined, they can then strategize their
action to validate compliance with the twelve requirements.
While the lower level of Compliance requirements may seem simpler, but
Merchants may find it challenging to meet the requirements if they do not
have internal IT infrastructure.
Fortunately, Cyber Security Consulting Service providers like us at
VISTA InfoSec can offer PCI Compliance Assistance to make the compliance
journey easier and affordable.
Key Takeaway