0Tolerance can assist with PCI Compliance QSA services. 0Tolerance is a listed Payment Card Industry (PCI) Qualified Security Assessor (QSA), meaning we are approved and listed with the PCI Security Standards Council (SSC) to perform QSA engagements for your organization.
What Is PCI DSS
The PCI Data Security Standard (PCI DSS) is a set of security standards that were developed by the PCI SSC to protect cardholder data. It applies to any organization that stores, processes, or transmits cardholder data, regardless of the size or number of transactions.
The PCI DSS is important because it helps organizations protect against data breaches and cyber-attacks that can result in the loss or theft of sensitive cardholder data. This includes personal information such as credit card numbers, expiration dates, and security codes. By following the PCI DSS, organizations can reduce the risk of data breaches and protect themselves and their customers from financial losses and damage to their reputation.
The PCI DSS protects cardholder data by requiring organizations to implement a set of security controls and best practices. Organizations must also perform regular self-assessments or third-party audits to ensure that their security controls are effective and that they are complying with the PCI DSS.
PCI Service Provider Requirements
In the context of the PCI DSS, service providers are organizations that provide services to other organizations that handle cardholder data. Examples of service providers include payment processors, hosting providers, and managed service providers. Service Providers can be either Level 1 or Level 2. All Level 1 Service Providers must undergo a third-party QSA-audit annually. Level 2 Service Providers have options for a third-party QSA-audit or the Self-Assessment Questionnaire Type D for Service Providers.
All Service Providers must undergo a full annual pen test, a second annual pen test for segmentation testing purposes (6 months from the full test), PCI ASV external vulnerability scanning, and internal vulnerability scanning.
PCI Merchant Requirements
Merchants, on the other hand, are organizations that accept credit and debit card payments from customers. They are responsible for ensuring that their payment systems are PCI DSS compliant. There are four levels of merchants based on transaction volume and how cards are accepted, ranging from Levels 1 through 4. Level 1 Merchants must undergo a third-party audit. Level 2 Merchants sometimes have third-party and self-assessment options. Levels 3 to 4 generally self-assess.
Merchant PCI ASV External Scanning Requirements:
Level 1 Merchants
Level 2-4 Merchants completing SAQ Types A-EP, B-IP, C, or D
Merchant PCI Internal Vulnerability Scanning Requirements:
Level 1 Merchants
Level 2-4 Merchants completing SAQ Types C or D
Merchant PCI Penetration Testing Requirements:
Level 2-4 Merchants completing SAQ Type A-EP must undergo external network penetration and internal network segmentation testing.
Level 2-4 Merchants completing SAQ Type B-IP must undergo internal network segmentation testing.
Level 2-4 Merchants completing SAQ Type C must undergo internal network segmentation testing.
Level 2-4 Merchants completing SAQ Type C-VT must undergo internal network segmentation testing.
Level 2-4 Merchants completing SAQ Type D must undergo external network pen testing, full internal network pen testing, and internal network segmentation testing.