Posted: March, 24, 2021 9:46AM ET • 2 min read

Hand holding a credit card being tapped on a contactless credit card reader

Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is mandated by credit card companies to safeguard cardholder information against theft and misuse. “PCI Compliance,” as it is generally known, refers to the technical and operational standards merchants must meet in order to adequately mitigate data breaches and deter fraudulent use of cardholder information.

Applicability

PCI compliance is not always itself a requirement enforceable by law, however all major credit card issuers require adherence to the standards for liability purposes, and many jurisdictions have crafted their own data-protection laws either referencing PCI requirements or aligning them with those standards.

Some credit issuers, like Visa, exempt merchants from annual PCI compliance evaluations if they take alternative precautions against fraud with equal or greater safeguards, such as EMV or point-to-point encryption.

Validation of Compliance

The Payment Card Industry Data Security Standard (PCI DSS) has six major objectives supported by 12 key requirements. These, in turn, comprise 78 base requirements and are evaluated by over 400 test procedures. The rigorous evaluation process is conducted by the following entities:

Qualified Security Assessor (QSA)

QSAs are independent individuals who have met the PCI DSS’s requirements to conduct appraisals, and who bear a certificate from the PCI SSC to that effect.

Internal Security Assessor (ISA)

An ISA is an individual certified by the PCI SSC to perform PCI self-assessments on behalf of their sponsoring organization. This certification empowers the individuals to not only perform internal appraisals of the organization’s compliance, but to recommend further security solutions and controls to achieve or retain PCI compliance. Part of their responsibility is to liaise with QSAs and assist with their investigations as needed.

Report on Compliance (ROC)

The ROC is completed by all PCI Level 1 merchants to confirm that their policies, strategies, approaches, and workflows have been appropriately developed and implemented to protect cardholder data against fraudulent transactions.

Self-Assessment Questionnaire (SAQ)

What SAQs a merchant is expected to complete will depend on the number and type of transactions they process in a year, however the goal remains the same: to attest to the merchant’s processing bank that they are aware of the requirements and are abiding by them. Questions answered with a “No” will be highlighted for future implementation.