Payment Card Industry: More Than Just a Compliance Assessment
If your organization stores, processes, or transmits credit card data you need to fully understand how the associated cardholder data is used in your organization and where the data flows. Regardless of the size of your organization, inadequate scoping of your environment will lead to unnecessary risk exposure and is one of the principal factors of data breaches. A qualified specialist can help you:
- Understand the scope of your cardholder data environment;
- Interpret the PCI Data Security Standard (DSS); and
- Identify controls that will work in your business and technical environment.
Leverage the expertise of Crowe to help mitigate your PCI compliance risk.
Crowe Horwath LLP offers clients a unique experience, using subject-matter specialists, a proven team-approach methodology, and custom project management tools to assess and maintain a compliant environment. Crowe is a registered Qualified Security Assessor (QSA) company that offers compliance and consulting services designed to help minimize risk and establish and maintain compliance efforts with the least impact to your business.
Crowe works with:
- Level 1 and 2 merchants or service providers in need of on-site assessments;
- Level 3 or 4 merchants unsure of which self-assessment questionnaire (SAQ) to complete; or
- Any financial institution or company trying to manage the risks in its environment without overcomplicating its approach to compliance.
Whether you are working toward compliance for the first time or maintaining compliance, you may need assistance conducting ongoing testing that takes time and resources with the correct skill sets to meet annual and quarterly testing requirements.
- Web application security reviews (PCI DSS Requirement 6.6)
- Internal and external penetration testing (PCI DSS Requirement 11.3)
- Risk assessments (PCI DSS Requirement 12.1.2)
Learn more about how Crowe can help you take control of your cardholder data environment and establish and maintain compliance with the PCI-DSS with our FAQs, PCI industry updates, or by contacting us.
Frequently Asked Questions
What is the PCI Data Security Standard?
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to help protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data. PCI DSS includes a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.
How do I determine if I am a service provider or merchant?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP (Internet Service Provider) is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
What level of a merchant/service provider am I?
While all merchants and service providers are required to be compliant with the PCI Data Security Standard, validation requirements are based on the level assigned by the card brands. This level is determined based on the number of annual transactions accepted by the organization. View a summary of the card brand assignments by transaction level.
||Any merchant – regardless of acceptance channel – processing more than 6,000,000 Visa® transactions per year
Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant identified by any card association as Level 1
|1 million - 6 million Visa or MasterCard® transactions per year
||20,000 to 1 million Visa or MasterCard e-commerce transactions per year
||Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year
||VisaNet processors or any service provider that stores, processes, and/or transmits more than 300,000 Visa transactions annually
All MasterCard Third Party Processors (TPPs) and Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually
|Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually
All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually
Who has to be PCI compliant?
Any organization that has people, processes, or systems that store, process, or transmit cardholder data must be compliant.
Is Crowe Horwath a QSA company?
In the early 2000s, MasterCard Worldwide and Visa Inc. created the Site Data Protection (SDP) program and Cardholder Information Security Program (CISP), respectively, to help protect their consumer cardholders’ data, regardless of the point-of-sale location (Internet, phone, mail, etc.). In 2004, the Payment Card Industry (PCI) Security Standards Council and the Data Security Standard (PCI-DSS) were created from a joint initiative by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International using the SDP and CISP programs as a foundation. Crowe’s involvement with the payment card industry was at the forefront of these programs. In 2001, Crowe was indentified as a CISP Company by Visa. When the council was developed in 2004, Crowe became a Qualified Security Assessor company and has remained on the list since then.