The business industry has regulations and policies for almost everything. So it should come as no surprise that credit card payments are also regulated. The PCI SSC, or the Payment Card Industry Security Standards Council, has developed a standard for businesses to demonstrate data security adequacy. Whether you do five thousand or seven million transactions per year, you could be subject to a PCI compliance audit.
What is a PCI compliance audit?
A PCI compliance audit is a routine audit required of merchants who process credit card transactions. This audit is to make sure they are in compliance with the Payment Card Industry Data Security Standard, or the PCI DSS. The PCI DSS has been set up by various credit card companies to ensure a safety standard across all industries. Many merchants are required to go through regular PCI compliance audits. However, an alleged violation can also trigger an audit.
If you have to undergo a PCI audit, a Qualified Security Assessor (QSA) or your own Internal Security Assessor will determine the effectiveness of your organization’s security controls. There are over 200 criteria that your payment network must meet. For your organization to demonstrate PCI compliance, it must do one of two things. Your organization must have an on-site audit by a QSA or Internal Security Assessor, or it must fill out a PCI DSS self-assessment questionnaire, which may or may not lead to an internal audit.
Knowing which scenario applies to you mostly depends on how many credit card transactions you process yearly. Basically, the more transactions processed yearly, the more likely you will need an annual audit and record of compliance (ROC) to meet the requirements of the security framework. There are four levels of merchants, and deciding which level your organization belongs to depends on how many credit card you accept and how many transactions are processed in a year. For example, level I merchants process 1-6 million transactions yearly, and level I service providers process 300,000 per year.
PCI compliance is important to the health and longevity of your company, but it can be understandable if you’re overwhelmed by the process. If you are confused and overwhelmed by the process of filling out a self-evaluation, you can contact SecureWon, and we can help you navigate this process and assist you in maintaining compliance with the PCI DSS.