Security Basics mailing list archives

Re: How does a customer get PCI audited?

From: mkburns () gmail com
Date: 4 Jun 2008 09:27:21 -0000

Scott, to answer your questions you need to first understand a bit more about how the company conducts their business, 
such as how many cc transactions do they process, how are cc transactions processed (e.g. over the internet, phone etc) 
and what cc data is stored by the client.

From here you can determine what level of testing needed to be performed in order to be PCI compliant - 
http://usa.visa.com/merchants/risk_management/cisp_merchants.html


If the client requires an onsite test then this must be done by a QSA, if scans need to be done then this must be done 
by an ASV - a list can be obtained from the https://www.pcisecuritystandards.org.

In regards to the chances of being audited, afaik there is no requirement/intention for anyone (acquirer, VISA, 
MasterCard etc) to perform spot audits. The onus of ensuring a merchant is compliant rests with the acquirer. As a 
result your client should have been contacted by their acquirer to provide evidence that they are PCI compliant.

If your client is not compliant then the acquirer may stop processing credit card transactions on behalf of your client.

Here is an extract from the Visa site (same link as provided above) - MasterCard, AMEX etc will have similar reporting 
requirements:

"Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance 
validation documentation from their merchants. Acquirers must submit monthly status reports to Visa and all compliance 
validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the 
compliance reporting requirements of other payment card brands which may require proof of compliance validation."
 
On a side note, depending on the issues identified and the cost to fix these issues, it may be more beneficial for the 
client to 'outsource' the processing/storage of cc data to a 3rd party service provider - thereby transferring some of 
the risk and also the overhead of PCI compliance (of course you need to ensure that the 3rd party is compliant).

HTH,
Mark

Current thread:

Pen tested ... Compliant???, (continued)
- - - Pen tested ... Compliant??? Craig Wright (Jun 05)
    - The economics of testing Craig Wright (Jun 05)
    - Message not available
    - RE: The economics of testing Craig Wright (Jun 06)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 04)
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - Message not available
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 09)
- RE: How does a customer get PCI audited? Hill, Pete (Jun 03)
- Re: How does a customer get PCI audited? amatachick (Jun 03)
- Re: How does a customer get PCI audited? mkburns (Jun 04)
- Re: How does a customer get PCI audited? shoten (Jun 06)
  - RE: How does a customer get PCI audited? Craig Wright (Jun 06)
    - RE: How does a customer get PCI audited? Scott Race (Jun 06)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 06)