How do you become compliant?
The first thing you have to do is determine what level of merchant you are. If you process less than 20,000 e-commerce transactions a year, you would be considered a Level 4 merchant, and can report annually on a self-assessment questionnaire. The criteria get tougher as you go up. A Level 1 merchant processes over six million transactions a year, and is required to engage a third party to complete the compliance assessment workpapers.
The second step is to perform an assessment of your technology environment to see how it measures up with a list of PCI specifications. Again, there are 12 high-level requirements, 61 different key processes, and 148 specific inquiries relating to those processes. For each of the requirements, it is advisable to have documentation of how your organization complies with each requirement. This documentation should be detailed enough to clearly explain the technologies that are in use, but it also should be clear and concise so executive management who must sign an attestation of compliance can understand what the requirements are, and what specific solutions your company has implemented to address the inquiry/risk. For each requirement for which you don’t have a procedure or technology in place to mitigate the risk, you are required to demonstrates knowledge of the specification you’re not performing, and explain why the other things (i.e. compensating controls) you’re doing meet the same objective. Ultimately your bank will determine if you’re in compliance or not. It wants to see if you’ve designed new processes and procedures, or that you’ve implemented the procedure that didn’t exist.
What are the benefits of compliance?
Your systems and data will be safe and secure, you’ll have a low risk of any adverse consequences occurring, and the customers’ trust you’ve built up over the years won’t be shattered in an instant by a careless lack of attention to detail when securing your card-holder data computing environment.
Michael R. Dickson, CPA, CISA, CISM, is the director of the Business Technology Group at GBQ Partners LLC. Reach him at (614) 947-5259 or [email protected].
