Open Mobile Menu

Blog

Filed In: PCI DSS

PCI 101: Transaction Volumes and Validation Requirements

Views: 849

Written By: Chip Ross January 02, 2019

Regarding PCI compliance, all entities that store, process or transmit cardholder data are subject to the requirements of the PCI Data Security Standard (PCI DSS). Merchant or Service Provider Level, and how cardholder data is handled normally determine how an entity is required to validate compliance.

At the most basic level, any entity that interacts with cardholder data (CHD) is either a Merchant, or a Service Provider. At a high level, a Merchant is an entity that accepts CHD as payment for goods or services, and a Service Provider is an entity that stores, processes or transmits CHD on behalf of another entity, or provides some service that can affect the security of another entity’s CHD. It is possible for an entity to be both a Merchant and a Service Provider.

Merchant Level is determined by:

  1. The annual volume of transactions
    1. This is a count of individual transactions, for each card brand, not dollar amounts
  2. What any card brand demands, if there has been a breach, or for any other reason
  3. What any acquiring bank demands, if there has been a breach, or for any other reason

Service Provider Level is determined by:

  1. The annual volume of transactions
    1. This is a count of individual transactions, for each card brand, not dollar amounts
  2. What any card brand demands, if there has been a breach, or for any other reason

It is important to note that if a Merchant or Service Provider meets the annual transaction volumes for a particular level by one brand, the other brands usually consider them the same level. Additionally, the brands or banks can raise a Merchant or Service Provider Level at any time, for any reason, although this is very rarely done.

An entity may be required to validate their PCI compliance in a number of ways, including a Self-Assessment Questionnaire (SAQ) or by having an on-site assessment conducted by a QSA or an ISA (Internal Security Assessor – a certification that can be obtained through the PCI SSC) who produces a formal Report on Compliance (RoC). An Attestation of Compliance (AOC), a form which summarizes the assessment, is available for the RoC, and for each SAQ. Additionally, quarterly ASV scans (External vulnerability scans performed by a PCI Security Standards Council (PCI SSC) Approved Scanning Vendor) are normally required.

Below is a link to a PDF version of this blog article with a summary of the annual transaction volumes (a count of individual transactions, not dollar amounts) and corresponding levels and reporting requirements normally used for each card brand.

PCI 101 - Transaction Volumes and Validation Requirements.pdf

AppSec Consulting is available to help your organization evaluate how well these requirements are being addressed. We also specialize in full-service risk assessment and management services. Contact us today to see how we can assist.

Chip Ross

Chip came up through the ranks of Information Technology, beginning as a contract Desktop Field Engineer in 1997. His career evolution included leading the Desktop Operations team at Northwest Airlines, including day-to-day work direction for a team of 14 packagers and maintaining communication with upper management regarding desktop operations. In 2006, he transitioned to Information Security and delivered compliant merchant RoCs for 2007 – 2010, including the year of the Northwest/Delta merger.

Chip moved to Carlson in 2010 and continued delivering compliant Service Provider and Merchant RoCs from 2010 – 2012 as a Carlson-sponsored ISA. During that time, Chip also conducted many assessments at Carlson hotel and restaurant franchisees, providing on-the-ground guidance to the smaller merchants that make up a large portion of Carlson’s organization. Chip joined United Health Group as a sponsored ISA in early 2013, to provide guidance, tracking and reporting on the PCI efforts for the various teams and business units there.

Drawing on his experience, leading, participating, tracking and reporting on many remediation projects, Chip helps clients achieve their compliance goals through scope reduction, process improvement, and strategic technology integration. Chip’s broad background and extensive PCI experience with large corporations enables him to be comfortable working with client personnel anywhere from the data center to the board room, ensuring that AppSec Consulting’s clients receive thorough, top-quality consultation and assistance.

read more articles by Chip Ross