Who Has to Validate PCI DSS Compliance and What to Expect

As a business owner or manager, you're likely responsible for ensuring your company's PCI DSS compliance. This involves validating the compliance of all entities that store, process, or transmit cardholder data.

The Payment Card Industry Data Security Standard (PCI DSS) requires validation every 12 to 18 months. This ensures that your business remains compliant with the latest security standards.

You'll need to identify and validate the compliance of all entities involved in the payment process, including merchants, service providers, and third-party vendors. This includes any company that has access to your payment systems or handles sensitive cardholder data.

In the next section, we'll dive deeper into the specifics of who needs to validate PCI DSS compliance and what to expect from the process.

If this caught your attention, see: First Data Pci Compliance

If you're a merchant, you're responsible for ensuring that your service providers are PCI DSS-compliant.

Service providers can be any organization that stores, processes, or transmits information on behalf of a bank, merchant, or another service provider. To locate a certified service provider, you can download the list of PCI DSS-compliant service providers.

Additional reading: Merchant Pci Compliance

There are two service provider levels: Level 1 and Level 2. Level 1 service providers store, process, and/or transmit over 300,000 transactions per year, while Level 2 service providers store, process, and/or transmit less than 300,000 transactions per year.

To determine which level your service provider falls under, refer to the following table:

You're also responsible for ensuring that your service providers acknowledge their PCI DSS responsibilities and that they have the necessary access to your shoppers' cardholder data.

You'll need to validate your PCI DSS compliance if you're using a service provider who has access to your shoppers' cardholder data. This is because you're outsourcing part of your PCI DSS responsibilities.

To do this, you'll need to ask your service provider for their Service Provider's Attestation of Compliance. You can then verify that they're registered with the schemes and listed on Visa's Global Registry of Service Providers and Mastercard's Compliant Service Provider List.

Consider reading: Pci Dss Level 1 Service Provider

You'll also need to provide Sana Commerce with the names of your service providers and the outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC). This includes the Service Provider's Attestation of Compliance.

Here's a summary of the compliance validation process:

Remember, using service providers doesn't relieve you of the ultimate responsibility for your own PCI DSS compliance.

To be a compliant service provider, you must meet the validation criteria set by Visa. A service provider is any organization that stores, processes, or transmits information on behalf of a bank, merchant, or another service provider.

Service providers are categorized into two levels: Level 1 and Level 2. Level 1 service providers are those that store, process, and/or transmit over 300,000 transactions per year, while Level 2 service providers are those that store, process, and/or transmit less than 300,000 transactions per year.

Readers also liked: Pci Compliance Levels for Service Providers

To be included on Visa's List of PCI DSS Compliant Service Providers, a service provider must meet the validation requirements for their level. Level 1 service providers, for example, must be included on the list, while Level 2 service providers are not included.

A service provider can choose to validate as a Level 1 service provider even if they don't meet the criteria, in order to be included on the list. However, this is not a requirement.

Here is a summary of the two service provider levels:

Compliance Validation Deadlines are a crucial aspect of the PCI data security standards.

If you're a Level 1 or 2 Merchant, you'll need to provide confirmation that you don't retain sensitive authentication data after transaction authorization by September 30, 2009.

Level 1 Merchants have a slightly different deadline, requiring confirmation of full compliance with PCI Data Security Standards by September 30, 2010.

Discover more: Card Data Covered by Pci Dss Includes

Processors also need to confirm full compliance with PCI Data Security Standards by September 30, 2010.

Here's a summary of the deadlines:

If you're using a service provider who has access to your shoppers' cardholder data, you're outsourcing part of your PCI DSS responsibilities.

You're required to ask your service provider for their Service Provider's Attestation of Compliance. This document is essential in verifying their compliance with PCI DSS standards.

Ensure that the service provider is registered with the schemes and is listed on Visa’s Global Registry of Service Providers and Mastercard’s Compliant Service Provider List.

To provide Sana Commerce with the necessary information, you need to list the names of your service providers, along with the corresponding outsourced functions, clearly stated in part 2F of your Self-Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC).

You must also provide the Service Provider's Attestation of Compliance.

Here are the key steps to follow:

You must manage the relationship with the service provider as described in PCI DSS requirement 12.8, including listing all the service providers you use, maintaining agreements and acknowledgement of responsibilities, carrying out due diligence prior to engagement, and monitoring the service provider’s PCI DSS compliance status by requesting their AoC every year.