mailing list archives
Re: How does a customer get PCI audited?
From: mkburns () gmail com
Date: 4 Jun 2008 09:27:21 -0000
Scott, to answer your questions you need to first understand a bit more about how the company conducts their business,
such as how many cc transactions do they process, how are cc transactions processed (e.g. over the internet, phone etc)
and what cc data is stored by the client.
From here you can determine what level of testing needed to be performed in order to be PCI compliant -
If the client requires an onsite test then this must be done by a QSA, if scans need to be done then this must be done
by an ASV - a list can be obtained from the https://www.pcisecuritystandards.org.
In regards to the chances of being audited, afaik there is no requirement/intention for anyone (acquirer, VISA,
MasterCard etc) to perform spot audits. The onus of ensuring a merchant is compliant rests with the acquirer. As a
result your client should have been contacted by their acquirer to provide evidence that they are PCI compliant.
If your client is not compliant then the acquirer may stop processing credit card transactions on behalf of your client.
Here is an extract from the Visa site (same link as provided above) - MasterCard, AMEX etc will have similar reporting
"Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance
validation documentation from their merchants. Acquirers must submit monthly status reports to Visa and all compliance
validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the
compliance reporting requirements of other payment card brands which may require proof of compliance validation."
On a side note, depending on the issues identified and the cost to fix these issues, it may be more beneficial for the
client to 'outsource' the processing/storage of cc data to a 3rd party service provider - thereby transferring some of
the risk and also the overhead of PCI compliance (of course you need to ensure that the 3rd party is compliant).
RE: How does a customer get PCI audited? Hill, Pete (Jun 03)
Re: How does a customer get PCI audited? amatachick (Jun 03)
Re: How does a customer get PCI audited? mkburns (Jun 04)
Re: How does a customer get PCI audited? shoten (Jun 06)