Payment Card Industry: More Than Just a Compliance Assessment

If your organization stores, processes, or transmits credit card data you need to fully understand how the associated cardholder data is used in your organization and where the data flows. Regardless of the size of your organization, inadequate scoping of your environment will lead to unnecessary risk exposure and is one of the principal factors of data breaches. A qualified specialist can help you:

Understand the scope of your cardholder data environment;
Interpret the PCI Data Security Standard (DSS); and
Identify controls that will work in your business and technical environment.

Leverage the expertise of Crowe to help mitigate your PCI compliance risk.
Crowe Horwath LLP offers clients a unique experience, using subject-matter specialists, a proven team-approach methodology, and custom project management tools to assess and maintain a compliant environment. Crowe is a registered Qualified Security Assessor (QSA) company that offers compliance and consulting services designed to help minimize risk and establish and maintain compliance efforts with the least impact to your business.

Crowe works with:

Level 1 and 2 merchants or service providers in need of on-site assessments;
Level 3 or 4 merchants unsure of which self-assessment questionnaire (SAQ) to complete; or
Any financial institution or company trying to manage the risks in its environment without overcomplicating its approach to compliance.

Whether you are working toward compliance for the first time or maintaining compliance, you may need assistance conducting ongoing testing that takes time and resources with the correct skill sets to meet annual and quarterly testing requirements.

Web application security reviews (PCI DSS Requirement 6.6)
Internal and external penetration testing (PCI DSS Requirement 11.3)
Risk assessments (PCI DSS Requirement 12.1.2)

Learn more about how Crowe can help you take control of your cardholder data environment and establish and maintain compliance with the PCI-DSS with our FAQs, PCI industry updates, or by contacting us.

Sort:

	Preparing for Heightened Standards for PCI Compliance		Managing PCI Compliance in the Age of Mobile Payments
	PCI Compliance: The Risks Banks Can Miss (External Link)		PCI Compliance: The Risks Banks Can Miss

More Publications

PCI for 2012: Past, Present, and Future (Webinar Recording)

More Webinars

The links below will take you to a different Website and will open in a new window. www.visa.com/cisp www.mastercard.com/sdp http://www.pcisecuritystandards.org

Frequently Asked Questions

What is the PCI Data Security Standard?

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to help protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data. PCI DSS includes a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.

How do I determine if I am a service provider or merchant?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP (Internet Service Provider) is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

What level of a merchant/service provider am I?

While all merchants and service providers are required to be compliant with the PCI Data Security Standard, validation requirements are based on the level assigned by the card brands. This level is determined based on the number of annual transactions accepted by the organization. View a summary of the card brand assignments by transaction level.

Who has to be PCI compliant?

Any organization that has people, processes, or systems that store, process, or transmit cardholder data must be compliant.

Is Crowe Horwath a QSA company?

In the early 2000s, MasterCard Worldwide and Visa Inc. created the Site Data Protection (SDP) program and Cardholder Information Security Program (CISP), respectively, to help protect their consumer cardholders’ data, regardless of the point-of-sale location (Internet, phone, mail, etc.). In 2004, the Payment Card Industry (PCI) Security Standards Council and the Data Security Standard (PCI-DSS) were created from a joint initiative by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International using the SDP and CISP programs as a foundation. Crowe’s involvement with the payment card industry was at the forefront of these programs. In 2001, Crowe was indentified as a CISP Company by Visa. When the council was developed in 2004, Crowe became a Qualified Security Assessor company and has remained on the list since then.

Craig Sullivan
574.236.7618

Connect to Crowe
Risk

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2013 Crowe Horwath LLP
Privacy Policy | Legal

Levels	Level 1	Level 2	Level 3	Level 4
Merchants	Any merchant – regardless of acceptance channel – processing more than 6,000,000 Visa^® transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1	1 million - 6 million Visa or MasterCard^® transactions per year	20,000 to 1 million Visa or MasterCard e-commerce transactions per year	Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year
Service Providers	VisaNet processors or any service provider that stores, processes, and/or transmits more than 300,000 Visa transactions annually All MasterCard Third Party Processors (TPPs) and Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually	Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually	n/a	n/a