To continue on from our previous blog entitled, "How much do you know about PCI DSS compliance Part 1", we will now discuss our final three key facts around assessment methods, penalties for non-compliance and how long compliance lasts.
4. What are the different ways of being assessed?
In order to become PCI DSS compliant your organisation can be assessed in two different ways, firstly via an independent qualified security assessor (QSA) onsite or secondly through a self-assessment questionnaire (SAQ). The acquirer or bank will advise what type of assessment is required which is normally based on the number of transactions the merchant or service provider is processing. For example, Visa state there are different validation levels for service providers which determine how the assessment methods should be employed.
An independent qualified security assessor (QSA) will be required to carry out the PCI DSS validation on a merchant's premises, based on the number of card transactions which in this case is over 300,000 transactions, and is deemed as Level 1 PCI DSS compliant.
A self-assessment questionnaire (SAQ) is a validation tool that helps merchants and service providers to self-evaluate their compliance against PCI DSS criteria where the number of card transactions is below 300,000 transactions and is deemed at Level 2 PCI DSS compliant.
5. What are the penalties for not being PCI DSS compliant?
Card payment brands such as Visa and Mastercard penalise and fine acquiring banks for non-compliance or breach of the PCI DSS regulation at their discretion. The fines vary between card vendors but range from $5,000 to $25,000 per month or per violation, $25,000 - $200,000, but for prohibited data storage violations, the fines range from $5,000 to $100,000 per month . The acquiring banks are most likely to pass these fines downstream to the merchant, and furthermore terminate the relationship or increase transaction fees. The penalties associated with violations are seldom publicised, but for smaller merchants these can cause irreversible damage, and for larger merchants tarnish their brand.
6. How long are you compliant for once you have been accredited?
All merchants and organisations which are PCI DSS compliant should be continually assessing operations, fixing any vulnerability identified and sending the required reports to their acquiring bank. However, the validation is for 12 months and must be re-validated annually by either an external assessor or self-assessment questionnaire to be compliant with the security standard. Thereafter it is business as usual to maintain the systems and standards.