PCI DSS QSA

Our PCI DSS QSA Services

As an independent PCI QSA firm accredited by the PCI Security Standards Council, ProCheckup embodies excellence in ensuring entities meet the stringent standards of PCI DSS. Our longstanding expertise, since the establishment of the PCI QSA program, provides reliable validation of your compliance posture.

ProCheckUp works with merchants and vendors to ensure they are compliant with PCI Security Council's standard. ProCheckUp are Qualified Security Assessors accredited by the PCI Security Council. To confirm ProCheckUp's status as a QSA with the PCI Security council please click here.

The PCI Data Security Standard

The PCI Data Security Standard is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, in order to facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.

Which level do you need to be assessed against?

The level of assessment performed will depend upon whether you’re a service provider or merchant and at which level. Based on this you will need to either undergo a self-assessment questionnaire (SAQ) or a full Report on Compliance (ROC).

Merchants

Merchants are the most common type of organization affected by PCI compliance. Merchants are organizations that process card transactions, and can range from high-street stores and energy providers to online shops and charities.

Service providers

Service providers are defined as any organization that stores, processes, or transmits cardholder data on behalf of another. This also includes companies that could impact the security of that cardholder data. This covers various types of organizations, including:

  • Hosting providers
  • Call centers
  • Network support
  • Payment processing
  • Media storage centers
  • Data destruction

Some organizations can fall into both categories, handling card payments for themselves and also on behalf of other companies.

Determining your PCI level

As a merchant you would normally receive a letter from your merchant acquirer, informing of the number of transactions and establishing which level of PCI compliance you need to attain.

What are the 4 levels of PCI Compliance?

For merchants, there are four levels, with Level 1 being the highest and Level 4 the lowest. The guidance on how to determine each level is set by the card brands. However, ultimately it’s the merchant acquirer (also known as the acquiring bank) who sets this level. If you’re in any doubt, please contact your acquirer.

Please see the below table or go to our PCI FAQ to find out more information about PCI.

Merchant level Criteria Validation
1

Any merchant processing over 6 million VISA or MasterCard transactions a year

Any compromised merchant

• Annual audit and Report on Compliance (RoC)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV

2

1-6 million transactions

 

• Self-Assessment Questionnaire (SAQ) or annual audit and RoC
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV

3

20,000-1 million e-commerce transactions

• Self-Assessment Questionnaire (SAQ)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV

4

<20,000 e-commerce transactions
<1 million otherwise

• Self-Assessment Questionnaire (SAQ) recommended
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV if applicable

Note: The exact thresholds and requirements may vary slightly between different card brands (Visa, MasterCard, American Express, Discover, etc.), so it's important to consult with your acquirer or the specific card brands that you work with.

For service providers, there are only two levels - Level 1 and Level 2. Unlike merchants, service providers must look at the aggregate number of transactions per year to determine which level they are.

Provider level Criteria Validation
1

300,000+ transactions annually

• Annual audit and Report on Compliance (RoC)
• Attestation of Compliance (AoC)
• Quarterly external vulnerability scan by an ASV

2

<300,000 transactions annually

• Self-Assessment Questionnaire (SAQ-D)
• Quarterly external vulnerability scan by an ASV

One of the key differences between merchants and service providers is how they submit completed reports. Merchants submit their completed reports to their acquirer, whereas service providers must submit reports to the individual card brands (Visa, MasterCard, American Express, JCB, and Discover).

Compliance Validation

Both Level 1 merchants and service providers can only validate compliance with an independent assessment by a PCI QSA. Level 2 (and below) merchants and service providers may be able to complete an SAQ to validate compliance.

For merchants, there are multiple SAQs, each of which represents a subset of PCI requirements and can be completed if certain criteria are met. For service providers who wish to self-assess (and merchants who don’t meet the criteria for any other SAQs) SAQ D must be completed. SAQ D constitutes the full set of PCI requirements.

The proof of compliance validation is the Attestation of Compliance (AoC). Completed by an officer of the company responsible for compliance (typically the CFO or similar), this attestation certifies all of the relevant PCI requirements have been met. If the assessment that took place was an audit, this will also be countersigned by the lead QSA responsible for the assessment.

Engagement Lifecycle

ProCheckUp's team of QSAs assists merchants or service providers in the following areas:

  • Initial scoping of requirements
  • Gap analysis
  • Consultancy services, as well as the final onsite PCI DSS audit

The PCI DSS QSA builds a relationship with each client and guides them step by step on their journey to compliance.

Our Article On PCI Compliance provides more detailed guidance about PCI compliance.

Our PCI DSS Solution's

  • PCI-ASV (Approved Scanning Vendor) Services: ProCheckup, a globally recognized ASV, conducts meticulous external vulnerability scans to ensure the integrity of systems handling credit card data, in compliance with PCI-DSS requirement 11.3.2. Our ASV scan solution leverages cutting-edge security tools to rigorously test and confirm your network's defenses against known threats, helping to secure your data transactions. (Learn More)
  • PCI QSA (Qualified Security Assessor) Services: As an independent QSA firm accredited by the PCI Security Standards Council, ProCheckup embodies excellence in ensuring entities meet the stringent standards of PCI DSS. Our longstanding expertise, since the establishment of the QSA program, provides reliable validation of your compliance posture. (Learn More)
  • Penetration Testing: ProCheckup's penetration testing services are an embodiment of our commitment to security excellence, meeting PCI-DSS requirement 11.4.1. Our team of Crest, Cyberscheme, and NCSC-qualified penetration testers, with a proven 24-year track record since 1999, employs a comprehensive approach to identify and remediate exploitable security vulnerabilities. (Learn More)
  • Data Discovery for Primary Account Number (PAN): Our specialized services extend to the detection of PAN within your network, particularly identifying unauthorized storage locations outside the Cardholder Data Environment (CDE), adhering to PCI-DSS requirement 12.5.2. ProCheckup ensures that sensitive payment data is contained and managed securely. (Learn More)
  • Segmentation Testing: With precise technical testing, ProCheckUp validates the efficacy of network segmentation, ensuring that the CDE is isolated from all systems not pertinent to card processing, in compliance with PCI-DSS requirement 11.4.5. This critical service supports PCI-DSS compliance by verifying the robustness of segmentation controls, maintaining the security of your cardholder data environment. (Learn More)

Contact us to discuss your PCI DSS QSA requirements with a QSA.

Need Help?

If you have any questions about cyber security or would like a free consultation, don't hesitate to give us a call!

Our Services

Keep up to date!

Subscribe to our newsletter. Keep up to date with cyber security.


For More Information Please Contact Us

Smiling Person

ACCREDITATIONS